How to ensure GDPR compliance
Contractual compliance in General Data Protection Regulation (GDPR) could take time to be ready by 25 May, when it involves third parties that you engage, such as a payroll provider, which can access personal data.
As data “controller”, you cannot appoint a “processor” until you have carried out due diligence to show it has adequate technical and organisational measures in place to protect data. The good news is that adhering to an approved code of conduct can give sufficient evidence.
GDPR additions to the technical and organisational security measures needed in a written contract include:
• processing details about the subject matter, duration, nature, type of personal data, and categories of the data subjects;
• the processor must help the controller with security measures, data breach notification and impact assessments; and ensure staff authorised to process personal data have committed to confidentiality;
• the right for the controller to audit the processor and processing activities; and
• the processor must allow the controller access to information to demonstrate compliance; and to inform the controller if an instruction breaches GDPR.
Failure to have compliant contracts could result in a fine of up to €10m, or 2% of a group’s worldwide turnover.
Instead of standard clauses, many businesses see a need for an independent practical contractual framework to ensure GDPR processes are in place and demonstrable.
By Sam De Silva, partner at CMS Cameron McKenna Nabarro Olswang LLP