The following is an excerpt from The Link, LinkSquares' quarterly publication. Check out the full publication here.
It’s been three years since the European Union's (EU) General Data Protection Regulation (GDPR) took effect. The privacy measure did more than force websites to gain consent prior to using browser cookies. In fact, GDPR holds explicit and wide-ranging constraints on businesses that use online data. Further, enforcement of infractions isn’t an empty threat. According to research from multinational law firm DLA Piper, from January 26, 2020 to January 27, 2021, GDPR fines rose nearly 40% with penalties amounting to €158.5 million ($191.5 million).
If your company does business inside the EU, or with any of its residents, you need to be compliant. However, when it comes to contracts, many companies struggle. In particular, there are five standard contract clauses that often require GDPR updates. Here’s what they are and what companies need to do.
Data Processing Clause: Companies that handle personal data must specify the purpose of the processing and whether data is used for providing services or other purposes. If a data processor engages sub-contractors or sub-processors, it requires the consent of the data controller, which is your organization. Sub-processors must use the same level of security and confidentiality as the processor and controller. This will require an audited copy of all sub-processors' privacy policies and service contracts.
Data Security Clause: If your company performs data processing, you must commit to an adequate level of data protection. This clause should stipulate the technical and other measures used. Typically, this would include such measures as encryption, role-based security access and third-party certification.
Breach Notification Clause: This has to detail your breach notification process. For instance, the supervising authority must be notified of the number of individuals and records impacted, name of your data protection officer, details on the likely consequences and steps taken to mitigate damage. A similar notification must be spelled out and made to individuals whose information was breached. Standard GDPR notification is a "reasonable period of time," which is 72 hours maximum.
Audit Clause: As a processor of data, your organization must keep records of the processing it carries out for the controller. Contracts must not only show the records being maintained, you must outline the process by which clients and other relevant parties can view and verify the documents.
Third Party Vendor Clause: Data controllers are responsible for their own compliance and that of their processors and sub-processors. Therefore, your contract should stipulate all methods and standards used to verify the security measures of any third-party contractor.
For companies without in-house legal teams, the European Commission publishes GDPR Standard Contractual Clauses. The easiest path to GDPR compliance is to add these clauses to contracts, but first, make sure you can abide by them. Keep in mind, contractual clauses are regularly updated, so don’t utilize a “set it and forget it” approach. If you want to ensure compliance over time, it’s best to use contract automation software like LinkSquares.
For more information on how to get your contracts into GDPR shape, download our eBook, "How to Make Your Contracts GDPR Compliant (And Keep Them That Way).”