GDPR processor clauses and why they can't wait
Most compliance professionals and in-house lawyers will be well aware that in GDPR terms the 'big day' is fast approaching. Some boards may by now have been persuaded this really should be at the top and not the bottom of the risk register. Others may be taking a more 'wait and see' approach ie wait and see who actually gets fined and how much. Then there will be a few who wasted no time, got their GDPR readiness plan in place and are already well on their way to passing the 25 May 2018 finishing line with 'GDPR star' status.
If, like many, you are still pondering where to even begin on the journey to GDPR star status - start with your contracts!
The GDPR introduces far more stringent obligations to be imposed in writing on data processors than current data protection laws in Europe. There is no short cut ie you can't just rely on an applicable law clause. The 'new style' processor clauses actually have to go into the contract.
This means that for any new processor contracts you are negotiating that will run beyond 25 May 2018, these clauses need to go into the contract now. It could save a lot of work and expense in the long run if the clauses go into the contract on day one - even if they lie dormant and kick-in on 25 May 2018. Otherwise, there could be some difficult discussions ahead around incorporating these provisions post signature, including as to who pays for implementing new processes, procedures and safeguards and ultimately possibly even terminating contracts if these discussions are not successful. As there is no 'get out of jail free' card for legacy processor contracts, there will still be plenty of these types of discussions to be had over existing contracts that run beyond May 25 May 2018.
Many customers will find when negotiating contracts with the 'big players' that they have very little influence over the contract terms. Customers will increasingly find themselves weighing up the benefits of a service provider's services and cost advantages against GDPR compliance. Nevertheless, if you're dealing with a big player, there's still value in applying relationship pressure - the big players have an interest in GDPR compliance too (both from a general compliance perspective and a competitive perspective) so it is worth reaching out to them to understand what their plans are. The more pressure they get from customers, the sooner they're likely to offer GDPR compliant terms. It is also worth bearing in mind that the GDPR is not clear about whether the obligation to include processor clauses in contracts falls on the controller, the processor or both. The GDPR simply says these clauses must be included - so it is very possible that both the controller and the processor must ensure they are included.
You may well at this point be asking yourself two questions: Firstly, what's the risk? Secondly, what is everyone else doing?
Technically there is a risk of exposing the business to fines of up to 10 million Euro or 2% of global annual turnover simply for failing to include these clauses in your processor contracts. How likely is this to happen in practice? Most processor contracts will never come anywhere near a data protection regulator. In that sense, the risk is low. On the other hand, regulators will have new rights to audit your compliance so although the probability of being 'caught out' is low, that's not to say it won't happen. Some will be caught out and it is most likely to be businesses that operate in sectors where complaints to the regulators are frequent or otherwise they are a big brand organisation with big customer databases and of interest to regulators for that reason.
Turning to the second question ie what is everyone else doing? Some will be well ahead of the curve and others trailing far behind but a middle-ground approach we are seeing emerge is the identification and tackling of 'high risk' processor contracts (at least to start with). In practice this means creating a 'processor inventory' and identifying the high risk contracts based on, eg volume of personal data processed, where it might be accessed from and by how many sub-contractors/people, how sensitive the data is and how far beyond May 2018 the contract will run.
As they say, a stitch in time saves nine ….