What does GDPR mean for your terms and conditions?

The deadline for compliance with the regulation governing GDPR is 25 May and while the core structure and obligations it brings are similar to the current regime, data controllers will not only have to comply with the six data protection principles but also to demonstrate compliance with them.

Data controllers now need to take proactive steps towards compliance, including ensuring that any contracts under which they transfer personal data both comply, and can be shown to comply, with the data protection principles.

The regulations also set out obligations for appointing data processors. Data controllers must seek sufficient guarantees that data processors have implemented appropriate technical and organisational measures to protect personal data, and the relationship between a controller and processor must be set out in a written agreement.

Not surprisingly, under GDPR, there are specific terms which must be included in contracts which govern data processing. Data controllers must ensure that contracts set out:

• the subject matter and duration of processing;
• the nature and purpose of the processing;
• the type of data processed and categories of data subject;
• the obligations and rights of the data controller.

Not only this, but contracts must also obligate the data processor to:

• process personal data only on documented instructions from the data controller;
• impose confidentiality obligations on persons authorised to process the personal data;
• ensure the security of the personal data;
• comply with additional rules restricting the appointment of sub-processors;
• assist the data controller to comply with data subjects’ rights;
• assist the data controller to comply with data security requirements;
• return or destroy the personal data at the end of the processing arrangement;
• provide the controller with all information necessary for the data controller to demonstrate compliance; and
• notify the data controller immediately if it believes that any instructions from the data controller are illegal.

Data controllers transferring data to processors will need to ensure that all contracts contain all of the information above, whether it be on their standard terms or on any agreement negotiated with a third party.

Even if the other party has provided the agreement, it will be the data controller’s responsibility to ensure that the provisions listed above are included. This applies not only where an agreement is agreed solely or mainly for the purpose of data processing, but to any arrangement where a data controller will be passing personal data to a third party for processing.

Any business collecting or holding records or personal data which it transfers or intends to transfer to a third party for processing should act now to ensure that it can show compliance by the May deadline.