GDPR: There are 90 or so clauses that should now be present in a supplier contract and these can be categorised under three main headings: service, legal, and cost. Data security is one of the weakest contract areas.
GDPR is driving a major review of how we handle personal data and sparking much discussion.
One of the spinoffs of the GDPR has been to bring IT vendor contracts clearly into focus. Since for a business to become GDPR compliant, it has to ensure that its partners and its wider ecosystem – its technology partners and the cloud-based providers who process its data – are included, these responsibilities need to be clarified and written into commercial contract terms. It is the very last but crucial step in achieving compliance – to write the new GDPR terms into every supplier contract where the IT vendor touches personal data. This means that the final focus for achieving compliance falls to defining and agreeing the GDPR terms in the third party agreements.
Are there risks lurking in the terms of contracts between an IT department and their IT system or service vendors? Our experience says yes. Until now this area of vendor contracts has tended to be loose, with clients accepting vendors standard terms, and or just addressing the legal parts to the contract. The GDPR regulations are so much more stringent than previous legislation, that there is no chance old contracts will comply.
In reality, there are 90 or so clauses that should be present in a supplier contract and these can be categorised under three main headings: service, legal, and cost. To review legal terms requires some legal knowledge, while the other, more operational areas require a clear understanding of what is fair and best practice in that particular type of IT contract.
Some of the weakest areas in supplier contracts are those which impact directly upon data security. For example, looking at contract terms around Disaster Recovery, more than half of standard supplier contracts are typically deficient compared to best practice, and a large percentage omit the wording and contract terms that a responsible business would expect to see.
The contractual areas around Services tend to be problematical too, with Service Development, Service Levels, and Service Quality tending to be the weakest. Clauses relating to services are often poorly defined and lacking in protection for the customer. They should state the respective responsibilities of both parties – the customer and the supplier – and be clear who should do what, and when. Terms relating to customer and supplier responsibilities are often missing from service provision contracts. More…