· Explainer · 8 min read
GDPR and Contracts: Why Corporate Boards Should Care About Data Compliance
GDPR affects companies worldwide that process EU residents’ personal data. It distinguishes between data controllers and processors, each with specific responsibilities. Key contractual requirements include operating under instruction, ensuring confidentiality, implementing security measures, and handling data subjects’ rights. Corporate boards must understand GDPR implications due to potential financial risks, reputational damage, and strategic impact. Companies must review and update their contracts to ensure GDPR compliance and avoid hefty fines, with board oversight playing a crucial role in this process.
It looks like a standard clickbait headline: “If you forget to do this, your company could be fined €20 million!” As fake as this headline sounds, there is much more than a kernel of truth in it – in fact, it refers to the very real General Data Protection Regulation (GDPR). The GDPR was passed by the EU on April 27, 2016 and goes into effect on May 25, 2018, and introduces sweeping changes for data management, use, and protection.
The GDPR’s impact will be felt worldwide, even by companies operating outside of Europe. Any company that processes personal data of EU residents is subject to GDPR rules (and severe penalties for noncompliance), regardless of where it is located. “Processing” is an expansive definition within the GDPR that includes collection, storage, dissemination, or deletion of data. In essence, if your company handles personal data of EU residents in any way, your company will likely be subject to the GDPR.
Why Corporate Boards Should Care
Corporate boards play a crucial role in overseeing risk management and ensuring regulatory compliance. The GDPR presents significant challenges and potential risks that demand board-level attention:
Financial Risk: With fines up to €20 million or 4% of global annual turnover (whichever is higher), GDPR non-compliance poses a substantial financial risk that can impact shareholder value.
Reputational Damage: Data breaches or non-compliance can lead to negative publicity, eroding customer trust and potentially impacting long-term business prospects.
Strategic Impact: GDPR compliance may require significant changes to business processes and technology infrastructure, affecting overall business strategy and resource allocation.
Legal and Regulatory Oversight: Boards are responsible for ensuring that the company has robust compliance programs in place, including those addressing data protection regulations like GDPR.
Corporate Governance: Implementing GDPR-compliant practices often requires cultural changes within an organization, which should be driven from the top down.
International Business Operations: For companies operating globally, understanding GDPR implications is crucial for maintaining and expanding business in EU markets.
Board Consideration: Given these factors, boards should ensure they have a clear understanding of GDPR requirements and their company’s compliance status. Regular updates from management on GDPR-related risks and mitigation strategies should be part of the board’s agenda.
Controllers vs. Processors – Duties and Liabilities
It is important to understand how the GDPR distinguishes between controllers of data and processors of data. Per the GDPR definitions, a controller is the party which “determines the purposes and means of the processing of personal data,” whereas a processor is the party which “processes personal data on behalf of the controller.”
The controller is responsible for complying with the personal data principles laid out in Article 5 of the GDPR, which include:
- Lawfully, fairly, and transparently processing data
- Limiting data collection to what is required for a legitimate, specific purpose
- Minimizing the amount of data processed to what is adequate and relevant
- Ensuring accurate data that is erased or corrected in a timely manner
- Retaining data for an appropriate amount of time and deleting when no longer needed
- Processing data with integrity and confidentiality
The processor, on the other hand, must comply with the principles outlined in Article 28 of the GDPR, including:
- Only processing data based on documented instructions from the controller
- Ensuring confidentiality of those individuals processing the data
- Deleting or returning all data to the controller upon completion of services
- Providing evidence of compliance to controller
Due to increasing complexity in the information supply chain, many companies are both processors and controllers. This creates situations where contracts can be between two “intermediate” processors both under the instruction of a third-party controller. Thus, when assessing your contracts, you must determine whether your entity is the controller or the processor, as the regulatory requirements are very different between the two. This assessment must occur on a per-contract basis to avoid costly mistakes.
Contractual Requirements Under GDPR
The GDPR also outlines numerous contractual requirements between controllers and processors. These requirements are usually beneficial to the controller, putting a high degree of responsibility on the processor. Viewed differently, these requirements are “best practices” enshrined in regulation that help ensure data integrity, confidentiality, and security.
Operating Under Instruction
Processors may only take data processing action based on documented instructions from the controller. You may want to review your contracts to ensure that these instructions are either clearly stated therein, or that contracts clearly indicate sources and procedures around instructions.
Ensuring Confidentiality
Processors must ensure confidentiality of data by requiring that individuals who process personal data have a contractual or statutory obligation of confidentiality. Standard terms, like scope of confidential information and the duration or term, should be included in contracts.
Taking Appropriate Security Measures
Article 32 of the GDPR mandates that processors assess the risk of the data being processed and implement security measures that are proportional to the assessed risk. These measures include data encryption and pseudonymization, vulnerability testing, and processes for restoration of data. Many organizations will need to review and compare these requirements with their existing Information Security Programs and Policies, like ISO 27001.
Sub-Processor Restrictions
Processors are limited in their ability to subcontract processing work unless written authorization has been given by the controller. Depending on whether you are a processor or a controller, you may want to ensure these terms are explicit in your agreements, and that mechanisms or audits are in place for verifying their accuracy.
Data Subjects’ Rights
If individual data subjects assert their rights under Chapter III of the GDPR, processors must assist controllers in responding to this request. The processor’s response may differ based on the nature of the data processing, as well as the processor’s technical abilities. Processors and controllers may need to negotiate terms around these responsibilities (for example, to compensate processors reasonably).
Security Breaches
In the event of a security breach, most of the reporting requirements fall on the controller, but in the event that a processor discovers a breach, it must inform the controller “without undue delay.” In many cases, controllers and processors may want to explicitly define acceptable delays; for example, processors working with sensitive financial information might be required to notify their counterparty within 24 hours.
Completion of Contract
The contract must address what action should be taken with respect to the processed data. Unless EU or Member State laws require retention of personal data, the controller dictates whether the processor is to delete or return data upon completion of services. The length of retention can translate to significant ongoing storage and security costs. Because of this, processors and controllers should carefully document and review these terms and requirements.
Evidence of Compliance
Processors are to cooperate with controllers or other controller-directed auditors to demonstrate conformity with the GDPR requirements. They should be prepared to provide appropriate evidence to support their compliance. However, it is up to controllers and processors to negotiate how processors are compensated for these activities. Processors and controllers should review their contracts to identify and negotiate any related provisions, as the cost of these audits can be significant.
Conclusion
The GDPR represents a significant shift in data protection regulations, with far-reaching implications for businesses worldwide. As we’ve explored, the distinction between controllers and processors, along with the specific contractual requirements, create a complex landscape that companies must navigate carefully.
For corporate boards, understanding and overseeing GDPR compliance is not just a matter of regulatory adherence – it’s a critical component of risk management, strategic planning, and corporate governance. The potential for significant financial penalties, reputational risks, and operational impacts of non-compliance make GDPR a board-level issue that demands ongoing attention and proactive management.
To ensure compliance and avoid potentially crippling fines, businesses must take proactive steps to review and update their contracts, data processing procedures, and security measures. This is not a one-time effort but an ongoing process that requires continuous attention and adaptation as the regulatory landscape evolves and new challenges emerge. Boards should ensure that management has implemented robust GDPR compliance programs and regularly review the effectiveness of these measures.
Board Consideration: By embracing these changes and viewing them as an opportunity to strengthen data protection practices, companies can not only avoid penalties but also build trust with their customers and partners. As stewards of corporate governance, boards play a crucial role in whether their companies simply comply with their legal obligations or make the effort to improve their data practices as a competitive advantage.