The Rise of the Data Processing Addendum
The Christmas tree is upside down in the bin, the left-over turkey is finally finished and the to-do list for 2018 is starting to take shape. It goes without saying that four particular letters will adorn almost every business strategy board for at least the next four months and unsurprisingly, those letters are GDPR.
With only four months to go it’s fair to say that a little urgency is required but there’s still plenty of time to finalise, continue or even start a well-planned compliance programme. The obvious question is, as time ticks away, what actions should you prioritise? A smart way to allocate your resources is to focus your initial efforts on those undertakings that you don’t have full control of the timescale. By this I mean anything that requires input from those outside of your organisation.
To enable you to meet the accountability criteria under the GDPR you will need to be able to evidence a series of documents including (but not limited to) policies, privacy notices and in many circumstances, detailed records of processing. Theoretically, the creation of these are all within your own control (or the control of those you contract to undertake their creation). As the 25th of May deadline marches ever closer, a smart place to start is to focus on your contracts.
Get It In Writing
The GDPR has introduced a string of new obligations to be imposed upon processors and these have to be in a written document between the controller and processor (or processor and their sub-processor) undertaking the work of personal data processing. This means that any contracts for the processing of personal data (think about payroll providers, marketing companies, data storage companies, etc) that you will continue to rely on after 25 May 2018 will need to have data processing terms included. The reason it makes sense to shuffle the task of finalising these contracts to the top of your list is that the process of drafting, sending, negotiating and signing every processing agreement you intend to continue using after May 2018 can be a lengthy process and is only as swift as the response time and receptiveness of the other party.
Much like every obligation in the GDPR, this one comes with its own specific punishment for non-compliance and in this case failing to include the specifics required in a processing agreement (in writing) under Article 28 of the GDPR packs a hefty fine of €10m or 2% of global annual turnover (whichever is highest). The ICO has also been granted greater auditing powers under the GDPR to examine how controllers and processors are managing their compliance obligations once the new law is fully enforceable. Needless to say, examining how processing relationships are governed (and how they are evidenced in writing) will be one of the core components of these potential investigations.
The text of the GDPR leaves little wiggle room regarding certain data protection measures that must be included in these contracts (or as additional clauses in existing T&Cs to be updated by 25 May 2018), but as with all contracts, the division of liability and application of indemnities is left to be decided between the respective parties. It’s fair to say that when the processor in question is a multi-national behemoth offering services such as cloud storage, your negotiation options may be a little limited, but they will still be required to provide written documents confirming that they will manage data on behalf of the controller in a GDPR compliant fashion.
The Rise of the Data Processing Addendum
If businesses are acting as controllers or joint controllers of personal information they may find themselves on the hook for breaches of data protection law committed by their co-controller or processor. This is where the importance of contractual provisions within these clauses and contracts comes into play. Having clearly defined obligations on both sides of the Data Processing Agreement is very important, but equally so is the ability to create a contractual method of retrieving any losses incurred due to the failings of the party.
As Contract Law specialists, we have seen an increasing number Data Protection Addendums being sent to processors which seek to override the terms of their existing Agreement. Some are very pro-controller and aggressive in their nature and some are not even effectively incorporated into the legal relationship.
Whether you are a controller or processor, being the first to get your Data Protection Agreement or Data Protection Addendum to the other side may be key to your bargaining strength. The GDPR does not explicitly state who is responsible for the drafting of the mandatory written agreement and therefore, if you are a processor, you may wish to get your own Data Protection Addendum drafted in a manner which is acceptable to you and your business.
As the deadline approaches, the ability to negotiate more reasonable terms may be eroded by the necessity to complete the agreement within the time frame.
The key actions to undertake now are:
• identify all parties who you share personal information with or receive personal information from;
• assess whether you have written contractual agreements in place with all of these and whether those agreements include the information required under Article 28 of the GDPR; and
• if you hold agreements with these parties, are you happy with the contractual provisions regarding the division of risk regarding data protection.
If you would like any assistance with drafting a suitable stand-alone Data Processing Agreement or a Data Processing Addendum to incorporate into your existing contracts, please get in touch by emailing firstname.lastname@example.org or calling 01603 339044.
Please note: the content of this article is for general information only and does not constitute legal advice. Specific legal advice should be taken in any specific circumstance.