Category: Compliance

Vendor Agreements: Avoiding the GDPR Administrative Nightmare

by Marie Korman, posted in Business, Compliance, Legislation, Privacy, Procurement, Risk Management, Vendor Management

GDPR graphic

By Marie Korman, J.D.- Freelance Writer

The compliance deadline for the EU General Data Protection Regulation (“GDPR”) is right around the corner. As companies scramble to meet the May 25, 2018 deadline, it may be tempting to quickly sign contractual amendments received from vendors to achieve GDPR. compliance. To avoid an administrative nightmare in managing GDPR commitments within vendor contracts, it is best to take a strategic approach from the very start.

The Problem

Companies that engage vendors for services that involve data hosting or processing of any kind and which might include the capture of EU resident’s data, will need a strategy for bringing their vendor contractual agreements into compliance. When companies engage multiple vendors, it means each one is likely to want a slightly different set of contractual terms. This presents an important problem when legislation like GDPR, requires companies respond shortly after a trigger event transpires. Varying terms means having to look up the corresponding contractual GDPR commitments each time an incident happens. This can waste valuable time and put companies at risk of fines and penalties.

The Solution

Companies should establish their own standard GDPR contract amendment or standalone agreement. This allows a company to set a single standard and utilize it with their entire vendor pool. A standard contract amendment would be a practical approach for companies who have multiple vendors but tend to have a single master agreement that governs all of the individual services received. A standalone agreement would be the best approach for those companies who have multiple vendors and several different contracts with each. The standalone agreement would provide protection and continued GDPR compliance when termination of individual contracts or signing of new agreements occur.

 When drafting a standardized GDPR contract amendment or standalone agreement a company should engage their Legal, Risk, and Procurement teams to ensure appropriate input from all vantage points. It is best to establish an agreed upon governance approach, so that it is clear which team will take responsibility for maintaining the GDPR template agreement and what role each team will play when the need for updates arise. Be sure to incorporate a version control process and historical archive in which to store previous versions. This can be important in the event of an audit, as the auditor may to ask to see a copy of the prior GDPR agreement.

The Benefits

Having consistent GDPR contractual terms will drive speed in responding to data incidents or inquires. Additionally, it will lower the cost associated with the administration of GDPR contracts, by limiting the number of GDPR templates needing maintenance. If revisions to the legislation occur in the future (which is likely) updates will consist of revising a single document and distributing it to the entire impacted vendor pool. It will also allow for a few individuals within a single organization to develop an expertise with the GDPR template, making the approval process for minor revisions requested from vendors faster.

The Result

A low cost, low maintenance, streamlined administrative approach for GDPR vendor commitments.

For more information about GDPR see https://ico.org.uk/for-organisations.