Welcome back to our blog series all about General Data Protection Regulation (GDPR) compliance. Yesterday we covered the relevant terms and provisions of GDPR. Today, we’ll go over the primary contract clauses that need to be brought up to GDPR standards.
Data Processing Clause
Sometimes called the Data or Customer Data clause. Companies processing personal data have to ensure that they specify the purpose of the processing and whether the data is used for providing services or for other purposes (improve services, research, etc.).
If a data processor engages sub-contractors or sub-processors, it requires the consent of the data controller (your organization). Further, the sub-processors must be bound by the same level of security and confidentiality requirements that bind the processor and the controller. This will require an audited copy of all sub-processors' privacy policies and service contracts.
Data Security Clause
If your company performs data processing, you must commit to providing an adequate level of protection required for processing. This clause should stipulate, broadly, the technical and other measures taken to protect the data. Common measures include encryption, role-based security access, third-party certification, etc.
Breach Notification Clause
This clause must include the details of your breach notification process. Notifications made to the supervising authority must include approximate numbers of individuals and records concerned, the name of the organization’s data protection officer or another contact, and the likely consequences of the breach and the measures taken to mitigate harm. A similar notification must be made to individuals whose personal information was exposed.
Breach Notice Period
Your deadline for notifying others of a data breach must be explicitly spelled out in your contracts. GDPR standard is notification within a "reasonable period of time," or 72 hours where feasible.
As a data processor, your organization must be able to demonstrate compliance with GDPR by keeping records of the processing it carries out for the controller. Your contracts must stipulate the records maintained, and the process by which clients and other relevant parties can view and verify those records.
Third-Party Vendor Clause
Under GDPR, data controllers are responsible for their own compliance as well as that of their processors and sub-processors. Your contract should stipulate the methods and standards you use to verify the security measures of any third-party contractors.
GDPR Standard Contractual Clauses
In an effort to simplify the work of GDPR compliance for businesses and organizations that don't have in-house legal teams, the European Commission publishes GDPR Standard Contractual Clauses. Provided your organization can abide by the commitments documented in these clauses, adding them to your client contracts is the easiest path towards GDPR compliance.
Note that the European Commission regularly updates these contractual clauses, so your organization cannot adopt a "set it and forget it" policy of adopting this contractual language.
Tomorrow, we will go over ways that you can maintain GDPR contract compliance with LinkSquares. For the full guide on staying GDPR compliant, read this eBook.
Subscribe to the LinkSquares Blog
Stay up to date on best practices for GCs and legal teams, current events, legal tech, and more.