The deadline for GDPR is looming – GDPR is the new Data Protection legislation which comes into force in May to protect personal privacy and sharpen up companies’ reporting of data breaches.
By now, with only a few weeks until the new rulings become law, many businesses have spent a number of months working their way carefully through the processes necessary for GDPR compliance, and most organisations should be very close to a position where they are internally in good shape.
However, most company’s IT provision involves a wider ecosystem of external IT providers.
Cloud-based providers offer the majority of all software provision, but their standard contracts will not cover GDPR, unless you’ve been through an explicit renegotiation process, or you’re a new customer and they have addressed GDPR in their contract. Ask the question of how many outsourced providers do you use? Payroll, data centres, infrastructure provision, call centres or digital marketing, the list goes on and on.
The newly appointed position of Internal Data Controller will be responsible for all of the processes carried out externally by third parties and their sub-contractors.
While it is fairly challenging for an IT department to evolve to full GDPR compliance by the target date, this last step in the journey may turn out to be bigger than expected, and may well present the greatest challenge of all. Every single vendor contract needs to be updated to be sure that every partner, provider and supplier will also play their role correctly in the GDPR procedures. It is the last hurdle to cross in the journey to achieving compliance, but it is an unpredictable one as it adds complexity to the supplier relationship and providers’ responsibilities, and may involve lengthy discussions with suppliers and their legal advisors to revisit their contracts and update the agreements. This considerable amount of administration may not sit well with the normal fast-moving world of the IT function and its IT industry partners.
Some organisations are already quite far down this road. They are working through each in-scope supplier contract that needs to be renegotiated and updated, maybe by adding a GDPR addendum to address the new GDPR requirements. There are likely to be many small details to address within every single contract, as wording needs to be re-drafted, discussed and finally agreed. The amount of work remaining to be done at this stage, and the resources required to execute it can be estimated at the beginning of the programme
Harder to estimate though are two important factors – a particular vendors’ willingness to negotiate, and the other demands on their negotiating teams, which will dictate the timescale to complete discussions.
With just a short time left to prepare, now is the time to take control and manage the redrafting of contracts to be sure of crossing the finishing line on time.
With just a short time left to prepare, now is the time to take control and manage the redrafting of contracts to be sure of crossing the finishing line on time. The first key task is to identify which IT suppliers fall within the scope of GDPR, the first pass of which can be done fairly rapidly through common sense discussions with the key stakeholders. This means that negotiations can start, whilst any longer and more detailed data audit is underway, such as a data protection impact assessment (DPIA), which may reveal further suppliers in the GDPR re-negotiations remit.
When they have been reviewed and discussed, this draft list of IT suppliers and the priority for each can be used to drive the appropriate approach for reviewing each contract, and how it should be updated and revised.
The new legislation requires that all third-party supplier contracts that relate to EU personal data must contain certain wording that meets the requirements of GDPR. Within this, there are no less than eight new provisions that need to be addressed in contractual terms and agreed. While these new areas are being negotiated with suppliers, it is natural for there to be some renegotiation of other commercial terms, as there are new risks and liabilities to both parties that will need to be countered with limits of liability, indemnities and similar clauses. At this stage, it may well be worth adding more resources to the GDPR programme. While it is well known that there are heavy fines for any company that is unfortunate enough to suffer a breach or accidental loss of confidential customer details, these are not the only risks. Being late with GDPR compliance could place an organisation at risk of a ban on all data processing activities.
There is no doubt that the effort companies have invested in preparing for GDPR has been substantial. Are there any lessons to be learned from this? GDPR highlights the importance of procurement skills and contract negotiation, two areas which may sometimes have been overshadowed by other priorities. ITIL confirms that IT procurement, with good contract management and supplier management, should be acknowledged as valued skills in all IT functions.