Are you ready for GDPR?
In a previous blog New Data Protection Regulation is upon us, I wrote about the start of the implementation process of the new General Data Protection Regulation (GDPR). At that stage, it was still very much early days, and since then there have been a number of developments and with the deadline for compliance now in sight, this blog outlines some of the requirements that businesses should be aware of.
Previously, any liability for any data breaches fell with the owners of that data (the data controllers). However, the GDPR imposes far more rigorous obligations on data processors, and more importantly will impose liability on them for non-compliance.
So, if you are a company that uses any personal information (ie. processes any personal data) on behalf of your customers, then the GDPR will affect you. (Examples include those businesses in IT, marketing, recruitment or indeed, any outsourced services.)
Listed below are just some of the key contractual requirements for data processors:
- Only processing data on the instructions of Data Controllers
- Implementing technical and organisational measures to protect Personal Data against loss or damage
- Imposing confidentiality obligations on all personnel authorised to process the personal data
- Clear restrictions on outsourcing data processing activities to other processors or sub-contractors
- Strict data breach notification requirements, including measures to assist the data controller in complying with GDPR
- At the data controller’s option, either returning or destroying the personal data at the end of the relationship
- Restrictions on exporting data outside of the EEA unless adequate safeguards are in place
- Requirements to appoint a data protection officer in certain situations
In addition to the above, there are also certain record keeping requirements. This means that any contracts which require any data processing activities must set out the subject matter and duration of the processing, the purpose of the processing, the type of personal data being processed and the rights and obligations of the data controller.
In order to ensure that your business is compliant with the new changes, it is essential to review your existing contracts prior to the end of May. If the above contractual requirements are not already set out in your contracts, you could face problems and possibly be in breach of the legislation once it comes into full effect on 25 May 2018.
For further information on GDPR or contractual matters, please contact our Company Commercial team.
Please note the contents of this blog are given for information only and must not be relied upon. Legal advice should always be sought in relation to specific circumstances.