The New Normal - Data Privacy Gotchas in Commercial Contracts
The May 25, 2018, deadline for General Data Protection Regulation (GDPR) compliance has ushered in a new era for commercial contracts. Not surprisingly, GDPR assurances are now sprinkled throughout B2B services agreements. What is somewhat surprising, however, is the breadth of data privacy commitments that a supplier of services is expected to make to its buyers.
A services contract I recently reviewed required the seller of services to comply with GDPR - standard fare. However, the agreement went on to be very specific about what internal controls and processes were required. In particular, the agreement called for a full-throttle "Security Program" to ensure protection of EU data subjects, a program that could be audited by the buyer at any time.
Among many other features, the Security Program had to have certain organizational structure requirements, security awareness training and disciplinary processes, design reviews for software development and quality assurance. Not to mention that all processes, policies and controls be memorialized in written form (also subject to audit).
So what's your average business to do? It's one thing to agree to comply with protecting personal information that your company may process or control and to build your own right-sized compliance program. But are your systems and processes audit-worthy to your own customers? In addition to building a formal, comprehensive data privacy program for your company, here are 3 recommendations for protecting your business.
1. Get Data Breach Insurance. If you can offset some of the risk of doing business in a data privacy oriented environment, you should. Reach out to your insurance broker and ask for a quote on cyber insurance/data breach. You should also ask if there is a specific rider for GDPR.
2. Read and redline contracts carefully. What, precisely, are you agreeing to do? Does your customer have the right to come on premises and review your policies and procedures? Limit the scope of commitments you are making to what you can actually deliver in terms protecting your customer's data.
3. Revisit your contractor agreements. If you outsource some or all of your services to a contractor, you may need to level up the clauses on confidential information, data privacy and GDPR compliance, and indemnification. That customer agreement you're getting ready to sign likely holds you accountable for the misbehavior of your contractors, so make sure that your agreements with outsourced personnel are watertight.