The European Union’s implementation date for the General Data Protection Regulation is fast approaching. May 25, 2018, will be here before we know it. Companies that interact with and/or process EU personal data should hopefully be well on their way to ensuring all data protection processes and procedures are GDPR compliant. If not, they could face steep fines and penalties (€20 million (U.S.$23M) or up to 4 percent of global annual turnover, whichever is greater) after GDPR takes effect.
One of the most involved—but important—tasks to ensure GDPR compliance is a comprehensive review of customer, supplier, inter-company and data privacy agreements. For many companies, this can be a significant undertaking, and requires careful attention to make sure these contracts follow internal corporate policies, are in line with overall corporate strategy and meet GDPR and other regulatory requirements. If not, and the contracts govern relationships involving access to individuals’ personal data, then they need to be remediated.
Below are five critical steps companies should take to review and amend contracts in advance of the GDPR implementation date that can serve as a checklist.
1. Review existing policies and procedures and perform a gap analysis. Before any customer or supplier contracts are reviewed or amended, companies should conduct a thorough review of existing data privacy compliance initiatives, policies and procedures and flag anything that does not meet GDPR and other regulatory standards. Like other regulations (e.g., the Foreign Corrupt Practices Act), you should also verify that third-party suppliers that may handle your data are GDPR compliant or well on their way to compliance by May 2018. This “gap analysis” should also include ensuring data retention policies specify how long information is kept, and that data maps exist that show where and how data is stored across the organization.
This review and gap analysis will ensure the company’s GDPR compliance processes are aligned with its strategic objectives and help determine best practices and internal policies to guide and facilitate compliance. It also reveals red flags, inconsistencies and areas for remediation that can be addressed before any contracts are amended.
Companies that interact with and/or process EU personal data should hopefully be well on their way to ensuring all data protection processes and procedures are GDPR compliant. If not, they could face steep fines and penalties (€20 million (U.S.$23M) or up to 4 percent of global annual turnover, whichever is greater) after GDPR takes effect.
2. Develop a playbook for moving forward. After a company has undertaken a detailed GDPR gap analysis they can turn to contract review and remediation. The first component should be the design of a comprehensive playbook to guide the end-to-end contract drafting and contract amendment process both for legacy contracts and contracting on a going forward basis. Many companies are both controllers and processors of data and the playbook should consider the implications of this on the end-to-end contracting process. In addition to setting out the processes that need to be followed, the playbook should include a GDPR amendment template that includes new GDPR compliant clauses together with guidance for contract negotiators on how to deal with likely pushbacks from counterparties. The playbook will be used to redline and negotiate amendments or any counterparty templates received by the company. The creation of a playbook will help minimize the risks associated with GDPR non-compliance by standardizing the approach to contract remediation and setting out clearly the approved templates and clause language required.
3. Review and identify in-scope contracts. Once the above step is complete, a company can then turn to reviewing contracts. Depending on the size of the company, there could be a high volume of contracts to review and, if necessary, amend. Using an A.I./machine-learning contract review tool can greatly speed the process of identifying active and inactive agreements, abstracting relevant contract provisions and pinpointing contract types for GDPR compliance remediation. In this stage, companies will want to:
Sort legacy customer and supplier contracts first by whether they are active or in-active. Only contracts which will continue beyond May 2018 should be further reviewed to identify if in-scope or out-of-scope for GDPR compliance purposes;
Prioritize initially your highest risk, active, in-scope contracts for review and potential remediation; and
Identify whether these contracts are compliant or non-compliant with GDPR. Unless terms have already been updated, these contracts will be non-compliant and require amendment. In addition, if under the terms of the contractual relationship data is being transferred outside of the European Union, an appropriate data transfer mechanism will need to be in place such as the Standard Contractual Clauses.
4. Draft and send amendments. After the contract review is complete, companies should draft amendments incorporating updated GDPR compliant terms and send these out to the in-scope counterparties. Keep in mind that some counterparties may be unresponsive and require multiple follow ups. Also, don’t assume that all customers and vendors will be up to speed with the implications of GDPR. Some amendment negotiations will run extremely smoothly and others may be more difficult and elongated. These eventualities and guidance for contract negotiators will be detailed in the playbook.
5. Finalize and execute contracts. With agreed language in place, finalize and execute the amended contracts and upload or store them in your contract lifecycle management platform or repository with the key terms entered in a structured data format. This way companies will have an auditable “source of truth” if ever called upon to demonstrate GDPR compliance.
Now is the time to begin. Companies that have not yet started a comprehensive GDPR compliance review would be wise to start as soon as possible. This is an involved, time-consuming process that should not be left to the last minute. A rushed job, or one that does not follow a thoughtful, strategic path, could lead to costly gaps in compliance.
Rachita Maker and Patrick Won contributed to developing this article.
Mark Ross is global head of contracts, compliance and commercial services at Integreon; Rachita Maker is vice president of contracts, compliance and commercial services at Integreon; Patrick Won is manager of contracts, compliance and commercial services at Integreon.