Today, after several years of General Data Protection Regulations (GDPR) being enforced, potential risk and penalties arising from a data protection (DB) breach could affect your organization -- not to mention certain innovative technologies -- such as Blockchain, IoT or AI-powered tools like Chat GPT that can impose the biggest obstacles to successful resolution – if we are not prepared. That’s why we very much need smarter solutions responding more accurately to GDPR.
But, there’s hope. If you mitigate well-crafted contracts and build effective collaboration between contracting parties, opposing parties will be well informed of any potential data breach that could hurt the performance of a contract. So, what do you need to know about GDPR and other privacy laws and regulations that that could demand changes in how you write your business contracts?
The purpose of the GDPR, adopted by the European Union (EU) in 2016 and enforced May 25, 2018 -- was mainly to clearly define the responsibilities of organizations’ processing personal data of EU residents. Similarly, the first U.S. comprehensive consumer data privacy law, the California Consumer Privacy Act (CCPA),1 enforced in 2020, regulates the use of personal information of California residents. Companies striving to keep themselves and their business partners compliant know all too well how violating either of these privacy regulations carries substantial penalties. This has changed how business contracts are now written.
The GDPR regulation directly applies to all EU countries and allows businesses to clarify their responsibilities throughout the EU and proceed predictably. But don’t forget -- due to GDPR’s extraterritorial scope -- organizations outside the EU also must comply with GDPR if they process personal data of data subjects2 located in the EU, or offer any services to them, or monitor their business operations occurring in the EU. This high risk of non-compliance with the requirements of the GDPR may cost up to 20,000,000 Euros (EUR) -- up to 4% of the total worldwide annual turnover of the preceding fiscal year -- whichever is higher!3
This impact of GDPR on contracts means organizations should determine the legal impact of GDPR plus all impact on all further changes related to the applicable data protection law. Consider, for example, the new Standard Contractual Clauses4 in contracts governing their business relationships.
Consequently, legal or privacy teams should review the executed agreements to see if they present risk of non-compliance with GDPR. These teams should also update these agreements to ensure appropriate terms and conditions (T&Cs) are used appropriately. Similarly, new contracts may require new or updated data protection (DP) language (e.g., contract templates or playbooks). Or contract management tools may require an organization to conduct a risk analysis and implement adequate safety measures. For example, Contract Lifecycle Management (CLM) systems should have requisite levels of encryption, etc. All of this requires careful review.
Contracts should only be negotiated and executed with partners that can meet the DP obligations. Pre-contractual risk assessments may be helpful to verify future business partners. The law requires that organizations acting as controllers shall use and collaborate only with processors that provide sufficient guarantees to implement appropriate technical and organizational measures so that processing will meet the requirements of GDPR and ensure the rights of the data subjects. More so than ever, business partners need to constantly re-evaluate their risk in terms of data protection regulations because of emerging technologies impacting contracting such as Chat GPT.
Contracts with processors
Contractual T&Cs need to push data protection obligations under the GDPR to any processor that will touch personal information in any format. Adequate cybersecurity measures and data storage obligations should reinforce these requirements.
Organizations should also implement consistent language in their processor contracts to authorize processors to process data on their behalf and stipulate how personal data will be processed and protected. For example, this includes doing the following:
- exercising data subject rights and processor’s assistance to fulfill the controller’s obligation to respond to such requests;
- cooperating in case of data breaches;
- making available to the controller all information necessary to demonstrate compliance required by article 28 of the GDPR5 -- including audits or inspections; and
- being aware that processors have the same requirement to ensure compliance by their subcontractors.
Indemnity and limitation of liability
For contracts between data controllers and data processors, negotiation around indemnification and liability is crucial. The consequences and level of damage caused by a privacy breach can be difficult to estimate. Therefore, parties negotiating liability clauses may have different expectations in terms of determining the extent of the processor's responsibility.
The controller may seek a guaranty of unlimited processor’s liability whereas processors may try to decrease it and set the maximum limits regardless of the final amount of damage. This can lead to lengthy and complicated negotiations that often depend on the negotiating position of the parties. However, it may be helpful to assess the real risks related to the processing of data under such contract and consideration – such as the scope, type, amount, and purpose of data processing -- and determine whether the counterparty has previously experienced any privacy breaches.
To ensure security and decrease the risk of a privacy breach and related liability, it is also essential to implement appropriate technical and organizational measures and control mechanisms such as physical controls (locks, security cameras); administrative controls (incident response and procedure training); and technical controls (firewalls, antivirus software, and access control).
Transfer to third countries
Data transfer to other countries may involve higher risks to protect the rights of the data subjects. Organizations should assess whether transfer of data to third-world countries occurs often and determine which conditions need to be met per the GDPR. If needed, the organizations should conduct a Transfer Impact Assessment (TIA) and implement additional measures such as, Standard Contractual Clauses or Binding Corporate Rules.6
Technical and organizational measures
The controller and the processor must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, and address the protection of data from hacks, theft, or unauthorized access. At this stage, risk analysis may be required but adherence to approved codes of conduct or approved certification mechanisms such as, ISO/SOC2 (Compliance Automation)7 may be used to help demonstrate compliance with the GDPR.
Insurance protection needed, possibly required
Insurance policies with new language addressing cybersecurity, risks of data breaches or non-compliance with GDPR may be required. They not only provide a company with protection in case of privacy breach but are usually required by counterparties that share their personal data with processors and expect business partners to have an adequate level of insurance coverage.
Storage and return of data
Both data controllers and data processors are responsible for protecting personal data and for storing it in compliance with the rights of data subjects and GDPR principles; data minimization; and storage/purpose limitation (retention policy). Storage and retention should also be appropriately addressed in contracts, especially for data controllers and data processors. Outside of the GDPR, other laws may require that personal data (such as patient information for clinical trials) be held for a longer period than required by the industry standard in the U.S.
Impact of the California Consumer Privacy Act (CCPA) on contracts
The United States’ first comprehensive consumer data privacy law, the California Consumer Privacy Act (CCPA),8/1 effective in 2020, was recently updated in early 2023. Additionally, the second comprehensive state law in Virginia (Virginia Consumer Data Privacy Act (VCDPA)),9 became effective 1 January 2023. The law is like the CCPA, but not identical. As a result, impacted businesses will need to separately consider compliance with both laws. Colorado, Connecticut, and Utah are affected by comprehensive state-wide privacy laws between July and December 2023. And in enacting their state-specific laws, other states, such as Indiana and Iowa, may follow closely behind in the next couple of years.
Two regulatory frameworks -- the CCPA/VCDPA and the GDPR
Both have commonalities such as applying to companies located outside of their jurisdiction and sharing key concepts such as, the right to access information; the right to request deletion of personal data; and a notice requirement in the event of a data breach.
Major areas where U.S. based privacy regulations depart from GDPR is that the U.S. penalties at face-value are not as severe as GDPR violations. So, the opt in consent for data collection or cookies is not required by U.S. law. (The definition of personal data under the CCPA refers to households, not just to specific individuals.)
As with the GDPR, these CCPA obligations will need to be considered when drafting T&Cs or negotiating data protection specifics with suppliers or subcontractors. Companies located outside of California may not see an immediate nexus (link) to this law if their operations are located elsewhere, but the broad reach of the law (CCPA) means that all companies can be pulled into it if they have clients or partners operating in the state.
Tracking the requirements now of regulators, such as the California Consumer Privacy Act (CCPA) versus the Virginia Consumer Data Protection Act (VCDPA) and complying with the requirements of other pending state laws is going to be complex. We may expect that larger companies with the negotiation power to do so will push many of the obligations and liabilities for breaches to smaller partners.
Updating legacy contracts is crucial
The pace of change in the data protection environment is astounding! Framework agreements such as Metropolitan Statistical Areas (MSAs)10 or standalone agreements negotiated a few years ago may already be lacking important T&Cs related to the GDPR/CCPA and other key regulations. It is especially important to revisit data protection language in existing contracts with suppliers to verify appropriate and actual technical and organizational measures and to review liability language to close any new risk gaps that may be created because of these changes.
Today, after several years of the above regulations being in force, the reputational risk and substantive penalties involved in a data processing (DP) breach are still a real threat to the organizations mostly because of innovative technologies such as Blockchain, IoT or AI-powered tools such as Chat GPT. However, to an extent, these risks can be mitigated by an organization using well-crafted contracts and good collaboration between contracting parties to make sure opposing parties are always informed of any risk of data breach related to the performance of their contract.
REFERENCES and END NOTES
- California Consumer Privacy Act (CCPA) Rob Bonita, Attorney General, State of California Department of Justice
- “Data subject refers to any individual person who can be identified, directly or indirectly, via an identifier such as a name, an ID number, location data, or via factors specific to the person’s physical, physiological, genetic, mental, economic, cultural, or social identity. In other words, a data subject is an end user whose personal data can be collected.” Quoting AT INTERNET definition
- Ref: Intersoft consulting article titled GDPR Fines / Penalties
- Standard Contractual Clauses (SCC) European Commission article
- See Vanta article, How GDPR, ISO, and SOC2 can level up your selling game See also SPRINTO article Difference Between GDPR and ISO 27001, Mar 2023
- Intersoft Consulting article titled, Article 28 GDPR Processor
- See two relevant articles below and End Note #6:
- Ref: European Commission article titled, New Standard Contractual Clauses – Questions and Answers overview
- Virginia Consumer Data Protection Act: A Growing Wave of Comprehensive State Privacy Laws, Amy C. Pimentel
- Metropolitan statistical area (MSA), Centers for Disease Control and Prevention (CDC) definition: “A geographic entity based on a county or a group of counties with at least one urbanized area with a population of at least 50,000 and adjacent counties with economic ties to the central area.”
ABOUT THE AUTHOR
Swapnil Shah has over 14 years of extensive experience and a demonstrated history of working in the corporate law and healthcare practice industry. Swapnil has provided tactical direction to drive business outcomes and achieve business goals. He has led multiple commercial contracting teams in various organizations and provided objective, practical, results-oriented assistance to address the ever-evolving business challenges facing healthcare companies. Swapnil has also been responsible for enterprise-wide strategic plans, company positioning, business plan development, validation, and researching/capitalizing on new market opportunities. Swapnil has sat on a policy-making board at Blue Cross and Blue Shield to introduce and implement ideas that improve the daily lives of health care patients. In his previous role at CVS Healthcare, Swapnil served as the Director of an adaptive contract management and rebating team that was responsible for mitigating risk, negotiating, and maximizing profitability for a variety of multi-million-dollar healthcare pharma contracts.
Nexdigm is an employee-owned, privately held, independent global organization that helps companies across geographies meet the needs of a dynamic business environment. Our focus on problem-solving, supported by our multifunctional expertise, enables us to provide customized solutions for our clients. We provide integrated, digitally driven solutions encompassing Business and Professional Services that help companies navigate challenges across all stages of their life cycle. Through our direct operations in the USA, Poland, UAE, and India, we serve a diverse range of clients, spanning multinationals, listed companies, privately-owned companies, and family-owned businesses from over 50 countries. Our multidisciplinary teams serve a wide range of industries, with a specific focus on healthcare, food processing, and banking and financial services. Over the last decade, we have built and leveraged capabilities across key global markets to provide transnational support to numerous clients.