Managing data protection in commercial contracts

Most business will, by now (fingers crossed!), have privacy policies and data protection procedures in place. Businesses should also have an awareness of how to manage and protect any personal data it receives and collects from its customers or suppliers.

The data landscape

Data protection legislation in the UK and the European Economic Area (EEA) requires data controllers to undertake due diligence on parties they appoint as data processors or with whom they share personal data with.

This means that data controllers should use only data processors that can demonstrate their internal compliance, document the security of their IT systems and implement appropriate technical and organisational measures. This is required by the General Data Protection Regulation (GDPR) in order to protect data subjects’ rights.

The first question is, therefore, to identify whether your business is a data controller or data processor. Simply put, does your business collect personal data and determine how this data is used? Or does your business simply receive personal data from another entity and uses this to provide a service?

Managing your contracts

Both data processors and data controllers can be liable under UK GDPR, and so it is in both parties’ interests to ensure that data protection is adequately considered and addressed in commercial contracts. This is regardless of whether they operate an outsourced function or whether the data processor is processing data as part of a wider service contract on behalf of the data controller.

Data protection provisions should always be present in commercial contracts so there is certainty and clarity on what each party is expected to do with the data.

Depending on the nature of the contract, provisions should be included which state the exact details of the processing, type of data and provisions setting out the processor’s obligations. This may include standards the data processor must meet when processing personal data on behalf of the controller and the permissions it needs in relation to that processing.

Some of these provisions could include:

• The data processor acting only on the written instructions of the data controller
• Engaging sub-processors only with the prior written consent of the data controller
• Obligations on the data processor in adopting appropriate technical and organisational measures in keeping data safe and secure.

Risk and liability

Alongside the contractual obligations, the parties will also need to decide the risk and liability allocation for data breaches. Usually, in commercial contracts these are defined within the ‘parties’ obligations’ section and will normally include a series of liability and indemnity clauses.

Regardless of whether you are a data processor or data controller, you must always be wary of agreeing to indemnities relating to data breaches. Should you agree to indemnify another party for such breaches, you will essentially create an obligation to ‘promise to pay’ the other party in the event of any losses or damages suffered by that party.

Indemnities are calculated on a pound-for-pound basis and are, depending on the drafting, not subject to the usual common law rules of remoteness of damage – i.e., indirect damages – or the duty to mitigate.

Final thoughts

Data protection legislation is ever-changing– we have seen a lot of updates to the regulatory landscape over the last five years. Firstly, Schrems (Privacy Shield), then Brexit, then new European SCCs and now the new UK IDTA. Make sure your contracts contain adequate data protection clauses and ensure that you are up-to-date on data protection issues – don’t be caught out!