Georgia Shriane

The matter is complicated by GDPR if the data is personal data. A practical solution is to separate liability in relation to data, and also personal data, from other liability under the contract. Separate caps on liability can be put in place, sometimes linking to insurances a party may hold, as well as exclusions or limiting circumstances. For the most effective limitation of liability, the clause should really be tailored to the circumstances and roles of each of the parties.

Ownership of data generally boils down to the control, creation and responsibility for it. IT systems security and limiting access to data is the most secure way of controlling data, claiming it and preventing it being used or accessed by others. If the data is confidential or business critical information, it should be identified and protected as such. If data is genuinely anonymous/analytics data (i.e. not personal data under the GDPR) then it can usually be used freely as it is not owned. Personal data is in a category of its own entirely on this point – so this subject is complex!

All contracts can be terminated on “reasonable notice” and for breach, so there is always an end possible, but drafting a workable termination clause at the outset is sensible, even if everyone intends to harmoniously work together and complete the contract fully. Carefully setting out obligations or service levels and linking these to consequences (a reduction in price, service credits or ultimately termination) as well as providing for a run-off period or cooperation and handover post-termination is really important to avoid disagreement and potential litigation.