As my colleague Jos already described in his blog, the new GDPR-regulation is of great importance for all organisations across the board. Especially for contract managers in the field of IT and their colleagues within that sector, the affirmation of this regulation has many implications on their daily jobs in making sure the organization adheres to it. This blog aims to give a more in-depth view of the implications specifically for the contractmanager and procument personnel.
The first subject I wish to address is the fact that the new regulations not only apply to data gathered on customers, but also on own personnel and that of third parties (think of suppliers, e.g. of temporary labour), of whom data is being registered. Specific data is labelled as “sensitive” by the GDPR-regulatory framework. Examples of these data are sexual orientation, religion, and, even more specifically, all data gathered pertaining to persons under the age of 16. These kind of data are required to be protected to a more extensive degree and are governed under strict rules regarding retention period. As contract manager or otherwise involved in the implementation of the GDPR-regulation, one should ensure extra consideration for these types of data.
As a contract manager, one is commercially responsible concerning the contracts under management; so one of the main questions arising from the GDPR-regulations could be: “what commercial consequences does the new regulation potential yield for my contracts?” Several cost drivers arise from the GDPR-regulation; I will describe the most obvious:
It is up to organisational policy regarding the GDPR-regulations how your organisation deals with these costs; will you accept these from your supplier, or is the supplier required to absorb these (partly)? Mostly, the General Purchasing Conditions will require the supplier to adhere to the current legislation during the contract-period – therefore it would be obvious the supplier is indeed required to take up all the costs without passing them on to the contracted organization.
An additional point regarding these costs is that the supplier will be able to discount the costs they are bound to incur across their entire client-base; so do pay attention that the part of the costs the supplier may ask you to pay is realistic, also with regard to the percentage of the supplier’s total turn-over.
Many (mostly large) organizations send their suppliers a concept-Data Processing Agreement (DPA) to be signed for accordance, as a kind of take-it-or-leave-it deal. Included in this concept DPA are usually the requirements the organization has regarding Data Processing of personal data by her suppliers, including a set of mitigating measures the supplier is demanded to meet. Also, the responsibility for any and all penalties incurred due to non-conformance to the GDRP is transferred to the suppliers involved is usually a standard clause of the DPA.
One of the interesting aspects of these standard DPA’s is the fact that many organisations impose their idea of the way their supplier should uphold the principles of the GDPR on their suppliers. On the one hand, this is a very understandable move when considering the consequences of non-compliance, but doesn’t the client take the seat of the supplier when doing so? In this day of functional specification and Best Value Procurement this seems to be an odd move; the supplier is asked to become the Data Processor by means of being assumed to be the most suitable based on its expertise; therefore, he should be able to oversee the Processing of data, the risks involved and the required mitigating measures much better than the contracting party. Ideally, the contracting party should require the supplier to mitigate risk, but not how he should do so – leave this to the specialist: the supplier.
Experience though our consultants, especially in large organizations, it will be a heck of a job to ensure all the required DPA’s are in place and signed by the suppliers. From this experience, we offer you some points of interest that might help an organization structure all efforts regarding the implementation of measures stemming from the GDPR-regulations, and, as such, have an as efficient way of working as possible. Do not start sending out DPA’s to suppliers, but start with:
As a little extra for the contract manager, this course of action provides an opportunity to get reacquainted with the IT-landscape.