Contractual Implications for IT Businesses of the GDPR
Why all IT businesses should be reviewing their contracts ahead of the May 2018 GDPR deadline?
The new EU General Data Protection Regulation (2016/679) introduces a single framework of data protection compliance throughout the EU. The deadline for compliance is 25th May 2018.
Almost all businesses will be affected by the GDPRs requirements in one way or another, however the implications of the GDPR will be more onerous for businesses which regularly process or control personal data, this includes many IT firms.
Prior to the GDPR only data controllers were directly liable for non-compliance with data protection regulation. Most IT businesses fall under the category of data processors, not controllers. Therefore, in the absence of any contractual agreement to the contrary, IT service providers could largely avoid liability for a data breach. All this changes however under the new regulations.
IT companies will need to look carefully at their procedures, policies and contractual obligations to avoid falling foul of the GDPR.
This note focuses on the steps that IT companies should be taking with regards to their contracts in light of the looming deadline.
Data Controller or Data Processor?
In most cases IT businesses will be, as within their relationships with customers, Data Processors rather than Data Controllers. The regime is still more onerous for Data Controllers, although for the first time, under the GDPR, data subjects will be able to take action directly against the Data Processor if the processor is in breach. As well as damages claims, Data Processors will also be liable to fines and other sanctions from the regulator (fines of up to 4% of total turnover).
For this reason, it is extremely important that:
- IT businesses ensure that rights and responsibilities relating to data are clearly set out in their contracts; and
- That they don’t behave in a way that would suggest, despite any contractual categorisation, that they are in fact Data Controllers.
Practical factors that may suggest an IT business is acting as a Data Controller, or a joint controller would be:
- There is a low level of instruction given to the party processing the data, which would suggest a level of independence;
- The impression given to data subjects is that the IT business has control over processing the data;
- There is no monitoring or insufficient monitoring by the Data Controller;
- The IT business has greater expertise in dealing with data than the Data Controller;
- The IT business determines the purposes and means of the processing, including decisions such as:
- Which items of personal data to collect
- Which individuals to collect data about
- Whether to disclose the data and to whom
- How long to retain the data
Data Processor Contractual Requirements
The GDPR includes substantially more contractual terms that Data Controllers and Data Processors must include in their processing contracts. The GDPR states that processing by a processor shall be “governed by a contract or other legal act under Union or Member State law” that sets out:
The subject matter and duration of the processing
The nature and purpose of the processing
The type of personal data processed and the categories of data subjects
The obligations and rights of the Data Controller.
In addition, Article 28(3) of the GDPR requires that data processing contracts ensure that Data Processors:
- Process personal data only on documented instructions from the controller including with regard to transfer of data to a third country or international organisation (save for in limited circumstances).
- Ensure that all personnel authorised to process the data are bound by confidentiality obligations.
- Ensure the adequate security of the personal data that it processes pursuant to Article 32.
- Abide by the rules regarding appointment of sub-processors.
- Taking into account the nature of the processing, assist the Data Controller by appropriate technical and organisational measures in complying with Data Subjects’ rights.
- Assist the controller in ensuring compliance with the data security requirements in Articles 32 to 36 taking into account the nature of the processing and the information available to the processor.
- At the choice of the controller either return or delete the personal data at the end of the provision of services, unless EU or Member State law requires a longer retention period.
- Make available to the controller all information necessary for the Data Controller to demonstrate compliance with the GDPR’s obligations relating to engaging Data Processors.
Organisations acting as Data Processors should examine the language in existing processing agreements to determine whether the agreements they have comply with the GDPR. If existing agreements do not comply with the GDPR, it is in both parties interests to review those contracts to ensure compliance.
The changes brought by the GDPR undoubtedly increase the risk profile of IT Companies acting as Data Processors.
As well as ensuring compliance, IT businesses need to consider the commercial aspects of dealing with data protection. When negotiating or updating contracts with customers or data processing agreements, IT companies should consider:
- Whether their costs should increase in order to meet the new and ongoing compliance standards
- Whether they require a different approach to apportioning risk within their contracts
- Whether to include provisions relating to apportioning liability or dispute resolution, particularly in instances where there is joint liability.
If you would like to speak to somebody about updating your IT terms of business or any other issues relating to data protection, please contact Lorraine Smith on 01785 223440 or email Lorraine.firstname.lastname@example.org