The European Union’s implementation date for the General Data Protection Regulation is fast approaching. May 25, 2018, will be here before we know it. Companies that interact with and/or process EU personal data should hopefully be well on their way to ensuring all data protection processes and procedures are GDPR compliant. If not, they could face steep fines and penalties (€20 million (U.S.$23M) or up to 4 percent of global annual turnover, whichever is greater) after GDPR takes effect.
Below are five critical steps companies should take to review and amend contracts in advance of the GDPR implementation date that can serve as a checklist.
1.Review existing policies and procedures and perform a gap analysis. Before any customer or supplier contracts are reviewed or amended, companies should conduct a thorough review of existing data privacy compliance initiatives, policies and procedures and flag anything that does not meet GDPR and other regulatory standards. Like other regulations (e.g., the Foreign Corrupt Practices Act), you should also verify that third-party suppliers that may handle your data are GDPR compliant or well on their way to compliance by May 2018. This “gap analysis” should also include ensuring data retention policies specify how long information is kept, and that data maps exist that show where and how data is stored across the organization.
This review and gap analysis will ensure the company’s GDPR compliance processes are aligned with its strategic objectives and help determine best practices and internal policies to guide and facilitate compliance. It also reveals red flags, inconsistencies and areas for remediation that can be addressed before any contracts are amended.
2. Develop a playbook for moving forward. After a company has undertaken a detailed GDPR gap analysis they can turn to contract review and remediation. The first component should be the design of a comprehensive playbook to guide the end-to-end contract drafting and contract amendment process both for legacy contracts and contracting on a going forward basis. Many companies are both controllers and processors of data and the playbook should consider the implications of this on the end-to-end contracting process. In addition to setting out the processes that need to be followed, the playbook should include a GDPR amendment template that includes new GDPR compliant clauses together with guidance for contract negotiators on how to deal with likely pushbacks from counterparties. The playbook will be used to redline and negotiate amendments or any counterparty templates received by the company. The creation of a playbook will help minimize the risks associated with GDPR non-compliance by standardizing the approach to contract remediation and setting out clearly the approved templates and clause language required.