News analysis: GDPR contracts - united in confusion?
It has been a long time coming, but with GDPR implementation day now firmly in sight, even the national media are starting to take note. Yet while awareness - and media coverage - of the new Regulation may be on the rise, according to a recent Institute of Directors survey, some 40% of UK bosses still do not know how the changes will affect their own business.
But even for those in the know, there is still much confusion, amid claims that the Information Commissioner's Office should be doing more to help companies prepare. In response, Commissioner Elizabeth Denham has claimed that her office is being hampered by a "brain drain" due to increased competition from both the public and private sector, as organisations woo staff from her office to boost their own GDPR preparations.
Many argue that those seeking the final GDPR guidance could suffer from the curse of the London bus - you wait ages for one and three come along at once. A case in point is the issue of the contractual relationship between brands and data suppliers. The ICO's consultation on contracts concluded last week, but guidance on this is unlikely to be available for months. In the meantime, how can brands and their suppliers ensure a smooth transition to the new regime and where can they go for advice?
“GDPR sets out specific terms that must be included in a data processing agreement.”
According to industry body the DMA, the best place to start is the ICO's draft guidance itself, which in many cases builds on the current framework included in the Data Protection Act 1998.
DMA external affairs manager, Zach Thornton, explained what should be set out, including the subject matter and how long the processing of the personal information will last, the nature and purpose of the processing, the type of personal information involved and categories of data subjects, and the obligations and rights of the brand/ data controller.
He pointed out that there are a number of other requirements that must be laid out as a minimum, which are also explained in the ICO’s draft guidance. “This is an area where GDPR should be seen as evolutionary, rather than revolutionary. But under the new regulation, the data processing agreement will have to cover all the requirements of the GDPR, not just on the requirement to keep personal information secure. GDPR sets out specific terms that must be included in such a data processing agreement,” he added.
However, Peter Galdies, founder and director of DQM GRC, believes that existing contracts are unlikely to be specific enough to meet the standards of this requirement - generic terms will not suffice. According to Galdies, ”in many instances, brands will be using the supplier's contract, such as those used by cloud- or web-based generic services, and suppliers may now have to accept and store many unique contracts. There will be some approved standard clauses made available by the EU, but these are yet to be developed. It is unlikely that these will remove the need for the contract to be specific."
And REaD Group chief executive, Jon Cano-Lopez, said that his company's recommendation is that all existing contracts will need to be audited to ensure they meet these requirements, and new amendments and schedules should be added as and when appropriate. One solution which some suppliers are embracing is to ensure that contracts with clients currently end on 24th May 2018 and restart on the 25th, in the hope that, by then, the ICO will have its guidance in place. But is this workable?
“What both sides need to ensure is that extra requirements are able to be demonstrated.”
Charles Ping, chairman of Engine-owned insight agency Fuel, and a member of the Data Protection Network, argues there is no time like the present to act: "While the law has a firm changeover date, I see no reason to wait until May next year to make the change. Whether by wholesale re-contracting or by the replacement of clauses, it's not too onerous. What both sides need to ensure is that extra requirements are able to be demonstrated if the contract mandates."
Thornton also disputes this approach, arguing that any insistence that a contract must cease on the 24th could possibly damage a commercial relationship. He added: "Organisations should speak with one another about the best way to proceed and begin a dialogue regarding what may need to change in the contract in order to comply with GDPR. This is part of a normal working relationship and should be discussed thoroughly.”
This iterative approach is also countenanced by Galdies. He said: "Existing contracts may require updates and additions prior to the May deadline for the contract to be legal afterwards. We believe this is achievable - and suppliers can help by shaping standard contract templates which allow the brand to add specific details. Brands and suppliers must be working now towards this date, although all should keep an 'ear to the ground' for standardised, approved, contractual terms issued by the EU.”
“Uncertainty means it may be necessary for suppliers to restart contracts.”
But Cano-Lopez explained that, while it may seem like a long-winded approach, introducing new contracts on 25th May ensures that both suppliers and clients are protecting themselves. "There is still a great deal of uncertainty around key elements of GDPR, for example, concerning the themes of consent and legitimate interest. This uncertainty means it may be necessary for suppliers to restart contracts in this way in order to comply with GDPR, while the industry awaits further clarification from the ICO,” he said.
Another area of the "evolution not revolution" approach concerns the fact that, under current law, suppliers are only subject to liability for failure to comply with their contractual obligations to their clients. Under GDPR, they now face the prospect of direct action by regulators and data subjects. So what are the consequences of this?
Thornton said the change reflects the important role that suppliers play in using and analysing personal data: "The biggest change is for suppliers who are not liable under the current law. Once GDPR is enforced, suppliers could potentially get in trouble if they breach the terms of the contract with the brand or commit a fundamental breach of GDPR.”
“Expenses may travel up the supply chain as extra cost."
Galdies added that while it will benefit consumers - as suppliers will not be able to hide behind a brand's legal liability - the consequences for suppliers could be extremely onerous, with both contractual and legal liabilities resting heavily upon their shoulders. "Inevitably," he predicts, "there may be extra expense incurred by brands managing these liabilities and these expenses may travel up the supply chain as extra cost."
So are brands getting jittery at the prospect of the liability they will face as a result of suppliers not being compliant? Thornton said that there is a sense in some quarters that brands need to do more to ensure that the suppliers they use are fully compliant with GDPR and do not pose a risk to the business - he urges companies to be more diligent.
"Brands should be carrying out robust audits on their suppliers to make sure that they’re abiding by the law and this process should be ramped up as GDPR approaches," Thornton argued. "Brands already make extensive checks on suppliers regarding security requirements, as this is necessary under the DPA. But GDPR broadens this to other aspects of data protection, so we should see the changes in this context of evolving change.”
Both Galdies and Cano-Lopez have both witnessed increasing concerns over compliance and brands taking a more rigorous approach, however. Galdies explained: "Brands are already aware of the risks posed by suppliers who do not process data correctly and this is being emphasised further by GDPR. This is translating into much stronger due diligence processes, often including audit and inspection. Some brands are now even 'seeding' their personal data in order to identify misuse or breach at supplier locations.”
“More significant liabilities for suppliers have been entering into contracts from brands.”
Meanwhile at REaD Group, where the company has increased its investment in compliance, information security and due diligence processes over the past few years, Cano Lopez says the firm has noticed more significant liabilities entering into contracts from brands in the last 12 months.
Yet, given the fact that companies are still being caught out under existing legislation, and a recent Experian survey which showed that nearly half of all firms say they are still struggling with the 1998 Act, how big a problem is this likely to be?
Galdies predicted it will be a major issue for those not already on the road to compliance - with little time remaining, there may be many contracts to modify and inevitably some work may need to be moved if suppliers cannot provide the guarantees required. "Over time, however, some standardised methods will arise," he said.
“It would still mean a huge increase in average fines.”
One final note of caution, however, is the threat of fines for non-compliance. Despite Commissioner Denham's recent insistence that monetary penalties are always the last resort and that, historically at least, the ICO has only ever fined firms an average of 20% of the current maximum of £500,000, DMA's Thornton feared this is no time for complacency.
He concluded: "In recent blogs, the ICO has said that it would continue with its proportionate and harm-based approach. But even by maintaining this position, it would still mean a huge increase in average fines. After all, 20% of the €20 million (£17 million) maximum penalty under GDPR is still €4 million (£3.4 million).” And, for most firms, that would be curtains.