In many trading relationships, there will be a flow of data from one business to another – and where that data consists, wholly or partly, of ‘personal data’, the law requires certain provisions to be included in a written agreement. And since the implementation of the GDPR, those ‘data processing clauses’ have become, out of necessity, rather lengthier than they once were.
Definition Under the GDPR
Where a data processor carries out any processing on behalf of a data controller, the data controller does not comply with the GDPR unless there is a written contract between the two parties that includes, as a minimum, the following clauses:
- a summary of the subject-matter of the data;
- the length of time that the processing will continue;
- the nature and purpose of the processing;
- the type(s) of personal data that will be processed;
- the categories of data subjects whose personal data will be processed;
- a statement of the obligations and rights of the data controller;
- the data processor must only act on the data controller’s documented instructions;
- that the data processor must ensure all of its personnel who access the data are subject to appropriate confidentiality obligations;
- the data processor will comply with the requirements in the GDPR regarding security measures and encryption;
- the data processor must assist the data controller in dealing with requests from data subjects, dealing with data breaches and conducting impact assessments;
- the data processor must delete or return (at the data controller’s choice) all personal data at the end of the contract, or when the need for processing ceases;
- the data processor must provide any information the data controller requests in order to demonstrate compliance with the GDPR, and to allow the data controller to audit and inspect the data processor’s compliance
- the data processor must not delegate the processing to a sub-processor without the data controller’s written consent (and then only on the basis of a written agreement which contains similar terms to the list above)
What Does the GDPR Definition Really Mean?
Much like before, there must still be a written contract when one business processes personal data on behalf of another business, but even a ‘basic’ clause will now be far longer and more detailed, often running to a couple of pages of text.
In addition, a data controller is only permitted to use data processors that provide sufficient guarantees to implement appropriate technical and organisational measures in order to meet the requirements of the GDPR, and protect the rights of the data subject. Examples of factors to be taken into account when assessing a processor’s suitability include:
- the extent to which the processor can demonstrate compliance with industry standards (if applicable);
- whether they have sufficient technical expertise to assist the controller in fulfilling their obligations under the GDPR;
- whether or not the processor can demonstrate adherence to an approved code of conduct or certification scheme.
What Must my Business do to Ensure Compliance?
First, identify every single relationship your business has with suppliers, customers, outsourcers, contractors, agents, resellers, distributors etc, where either you disclose any personal data to them, or they disclose any personal data to you.
Secondly, for each of those relationships, identify whether you are the data controller, or you are the data processor. It is likely that you will want to agree a slightly different data clause depending on the answer – as a data controller, you’ll inevitably want to shift as much burden onto the data processor as possible, but as a data processor, you’ll want the data controller to be fully responsible for compliance with the law.
Finally, identify whether there is an existing contract in writing between the two parties. If there is an existing contract, then you have to agree an amendment to that contract (which shouldn’t be a problem in principle, as the other party should also be keen to amend that contract to comply with the GDPR). If you do not have an existing contract, then you have to enter into a written agreement, ensuring that the agreement includes the required data clause.
It may be that, dependent on timing, you can use the ‘standard clauses’ published by the European Commission or the UK Government.
Any and all contracts that you enter into that involve a flow of personal data should include a suitable data clause that complies with the GDPR.