Race against the clock for revising third party contracts ahead of GDPR

On your marksThere’s currently a ‘wait and see’ with the forthcoming EU General Data Protection Regulation (GDPR) and what’s certain from all the conversations we’re having with companies is that they need clear guidance in how to prepare for the inevitable when it arrives.

However, that doesn’t mean that companies should sit on their hands and wait, according to Martin Hickley, a leading data protection and governance expert.

“Imagine you’re a company and the data controller. You know that once the GDPR is approved, you’ll have a two-year grace period in order to ensure that all data protection and security procedures comply with the principles of the EU Regulation. However, two years is a shorter period of time compared with the average length of most business contracts so the implications of the GDPR take effect not in some distance point in time but from TODAY.

“For example, all contact renewals and new contacts that entail personal data transfer or processing will need to have a clause in them that effectively says that once the new EU Regulation is passed, the third party has to supply to you within a set time frame its plans to become compliant with the GDPR.

“Furthermore, you might need to re-negotiate the third party contract based upon those plans, due to cost and liability issues.

“For example, we know there’ll be a statutory requirement to declare a data breach within a very short time frame, so the third party will need a formal process to tell you that they believe there’s a breach and this is what you have to report.

“Timescales are short because it’s a two company process. But who’s responsible if the deadline isn’t met? The answer is simple – it’s you as the data controller!

“What penalties do you accept, and what do you pass onto the third party in such circumstances? This can only be done if it’s provided for in the contracts that you are entering today that have more than a two-year shelf life.

“Imagine if a data processor has a single data breach but the data is on multiple records. The fine will not be for one breach, but multiple breaches under the GDPR,” explains Martin Hickley.


Leave a reply