Read more

GDPR is More Than "Consent to Use Cookies"

When the European Union's General Data Protection Regulation (GDPR) took effect in 2018, it did more than force websites to ask for your consent before using browser cookies. The GDPR places some very explicit and wide-ranging constraints on businesses that use online data, and many companies -- and their contracts -- continue to struggle with GDPR compliance.

In this eBook, we lay out the key aspects of the GDPR that should inform your contract-drafting process, so you can stay ahead of this ever-evolving regulatory framework.

What is the GDPR?

The European Union's General Data Protection Regulation is designed to protect the privacy of persons using the Internet and similar online systems. It applies both to organizations operating within the EU, as well as any organizations offering goods or services to customers or businesses in the EU.

To deliver a concept as nebulous as "privacy" to all citizens of (and customers in) the European Union, the GDPR explicitly defines some key terms with which you and your contracts must be familiar.

Personal Information

Personal information is "any information relating to an identified or identifiable natural person". The GDPR safeguards privacy by giving Internet users control over who can access, share, or sell their personal information. This has been broadly interpreted to include name, address, photos, and even IP address.

Sensitive Data

Sensitive data is defined as a subset of personal information relating to race, religion, sexual life, data pertaining to health, genetics, and biometrics. Sensitive data is given an additional layer of protection under the GDPR.

Data Collection and Data Processing

Data collection is any software process that collects or generates information about an Internet user. Data processing is subjecting that data to processing by persons or software, such that you alter the value or usefulness of that data. Strictly speaking, anything from alphabetizing a list to calculating a person's credit score would be considered data processing. GDPR requires data to be processed “lawfully, fairly and in a transparent manner” for “specified, explicit and legitimate purposes” and “limited to what is necessary in relation to the purpose”. Companies may re-purpose personal data with appropriate safeguards like encryption or pseudonymization.

Data Controllers and Data Processors

Personal data may be processed either by a "controller" or a "processor". A data controller is responsible for determining the procedures for, and the legal basis of, processing personal data. The data processor completes the processing on behalf of the controller. A data processor may include third-party vendors or outsourcing (sub-processor).

As an example, your company (the controller) may have a newsletter subscription form on its website that collects email addresses, and you may use those emails to send out newsletters from your own email software (processor), or from a third-party email service like G Suite or Mailchimp (sub-processor). For purposes of compliance, a data controller is responsible for the conduct of a data processor as well.

International Transfer

Sending personal data outside the EU is considered an international transfer, and there are rules around how this must be handled. The data collected by an EU company or from an EU citizen may be transferred to non-EU countries only if the European Commission has determined that the receiving country provides for an adequate level of data protection. Recently, in the Schrems II Decision, the European Court invalidated the EU-U.S. Privacy Shield Framework’s adequacy. Put simply, the United States legal code does not currently offer privacy protections adequate to comply with the GDPR, so U.S. service providers must go above and beyond U.S. legal requirements, and must commit to as much in their contracts.

Security

The GDPR states that controllers and processors should implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the processing. This is especially relevant when it comes to data breaches.

Data Breach

A data breach is any incident or action that results in the exposure of personal information without the consent of the persons to whom that information refers. If any unauthorized person gains access to the personal data stored on your systems -- either due to a hack or simple inadvertent transmission -- that is a data breach.

Breach Notification

Data controllers have an obligation to notify others of any data breach that exposes personal information for which they are responsible. The controller must notify a breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it. If a processor experiences a breach, it must notify the controller without undue delay. The notification to the supervisory authority must include the possible categories and approximate numbers of individuals and records concerned, the name of the organization’s data protection officer or another contact, the likely consequences of the breach, and the measures taken to mitigate harm.

Contract Clauses That Need GDPR Updates

Now that you're up to speed on the relevant terms and provisions of the GDPR, here are the primary contract clauses that need to be specifically brought up to GDPR standards.

Data Processing Clause

Sometimes called the Data or Customer Data clause. Companies processing personal data have to ensure that they specify the purpose of the processing and whether the data is used for providing services or for other purposes (eg; improve services, research, etc.).

Sub-Processing Clause

If a data processor engages sub-contractors or sub-processors, it requires the consent of the data controller (your organization). Further, the sub-processors must be bound by the same level of security and confidentiality requirements that bind the processor and the controller. This will require an audited copy of all sub-processors' privacy policies and service contracts.

Data Security Clause

If your company performs data processing, you must commit to providing an adequate level of protection required for processing. This clause should stipulate, broadly, the technical and other measures taken to protect the data. Common measures include encryption, role-based security access, third-party certification, etc.

Breach Notification Clause

This clause must include the details of your breach notification process. Notification made to the supervising authority must include approximate numbers of individuals and records concerned, the name of the organization’s data protection officer or another contact, and the likely consequences of the breach and the measures taken to mitigate harm. A similar notification must be made to individuals whose personal information was exposed.

Sub-Processing Clause

Your deadline for notifying others of a data breach must be explicitly spelled out in your contracts. The GDPR standard is notification within a "reasonable period of time," or 72 hours where feasible.

Audit Clause

As a data processor, your organization must be able to demonstrate compliance with GDPR by keeping records of the processing it carries out for the controller. Your contracts must stipulate the records maintained, and the process by which clients and other relevant parties can view and verify those records.

Third Party Vendor Clause

Under the GDPR, data controllers are responsible for their own compliance as well as that of their processors and sub-processors. Your contract should stipulate the methods and standards you use to verify the security measures of any third-party contractors.

GDPR Standard Contractual Clauses

In an effort to simplify the work of GDPR compliance for businesses and organizations that don't have in-house legal teams, the European Commission publishes GDPR Standard Contractual Clauses. Provided your organization can abide by the commitments documented in these clauses, adding them to your client contracts is the easiest path towards GDPR compliance.

It should be noted that the European Commission regularly updates these contractual clauses, so your organization cannot adopt a "set it and forget it" policy of adopting this contractual language. The most recent draft update occurred on Nov. 12, 2020.

How to Maintain GDPR Contract Compliance With LinkSquares

If the European Commission is updating both the GDPR regulation and its suggested compliant contract language, how do you keep your client contracts in compliance over time? You use contract automation software like LinkSquares.

GDPR Smart Values

LinkSquares Analyze uses cutting-edge artificial intelligence to "read" legal documents and extract key "smart values" within your contracts. With LinkSquares, you can identify any legal agreements that contain or lack these values, and categorize the contracts that include specific versions of these related terms.

Smart Values helpful for GDPR

  • Data Breach Clause
    • Is your Data Breach language updated for GDPR?
  • Data Breach Notification Period
    • Do you conform to the mandated 72-hour notification window?
  • Data Breach Notify Immediately
    • Do you exceed the 72-hour notification deadline?
  • Audit Clause
    • Do you allow audits to include the data and records relevant to GDPR?
  • Assignment Clause
    • Does your assignment clause also include subcontracting rights and, if so, do they conform to GDPR requirements?
  • Confidentiality Clause
    • Does your confidentiality clause address personal data and, if so, does it conform to GDPR requirements?

LinkSquares Analyze also supports full-text search of your contract repository, and you can generate regular search reports against GDPR-relevant terms.

You can know any time a legal agreement adds, removes, or alters terms such as:

Conclusion

The EU's General Data Protection Regulation is a complex and demanding regulatory framework that is challenging to comply with, especially given that the regulation is constantly evolving. It's not enough to review and adapt your legal agreements to GDPR once; you must regularly audit and update your contracts to keep them in compliance with the latest GDPR standards.

And to do that at a reasonable scale in a reasonable time frame, you'll need the latest contract automation software.

LinkSquares Can Help

LinkSquares uses natural language processing AI to parse and analyze your legal agreements, allowing you to identify any contracts that are out of GDPR compliance with speed and ease. By taking the drudge work out of contract analysis, you can perform regular reviews of your entire legal portfolio, so you can keep pace with GDPR evolution, as well as any other regulatory or business updates that are necessary for the modern marketplace. If you're ready to get and stay in GDPR compliance -- and stay ahead of the contract-compliance curve going forward -- then contact LinkSquares today.