As my colleague Jos already described in his blog, the new GDPR-regulation is of great importance for all organisations across the board. Especially for contract managers in the field of IT and their colleagues within that sector, the affirmation of this regulation has many implications on their daily jobs in making sure the organization adheres to it. This blog aims to give a more in-depth view of the implications specifically for the contractmanager and procument personnel.
Data which requires special attention
The first subject I wish to address is the fact that the new regulations not only apply to data gathered on customers, but also on own personnel and that of third parties (think of suppliers, e.g. of temporary labour), of whom data is being registered. Specific data is labelled as “sensitive” by the GDPR-regulatory framework. Examples of these data are sexual orientation, religion, and, even more specifically, all data gathered pertaining to persons under the age of 16. These kind of data are required to be protected to a more extensive degree and are governed under strict rules regarding retention period. As contract manager or otherwise involved in the implementation of the GDPR-regulation, one should ensure extra consideration for these types of data.
GDPR for the (IT) contract manager
As a contract manager, one is commercially responsible concerning the contracts under management; so one of the main questions arising from the GDPR-regulations could be: “what commercial consequences does the new regulation potential yield for my contracts?” Several cost drivers arise from the GDPR-regulation; I will describe the most obvious:
- Costs for data storage – A possible consequence can be your supplier needs to resort to new ways or locations for data storage. This is bound to yield costs.
- Costs for encryption – When data is required to be encrypted in new ways to adhere to the new regulation, the supplier will need to purchase or develop a new way of encryption.
- Costs for alternative modes of data transport/transfer – Secure data transportation/transder are an important part of the GDPR-regulations; when these are not yet in place, these need to be implemented.
It is up to organisational policy regarding the GDPR-regulations how your organisation deals with these costs; will you accept these from your supplier, or is the supplier required to absorb these (partly)? Mostly, the General Purchasing Conditions will require the supplier to adhere to the current legislation during the contract-period – therefore it would be obvious the supplier is indeed required to take up all the costs without passing them on to the contracted organization.
An additional point regarding these costs is that the supplier will be able to discount the costs they are bound to incur across their entire client-base; so do pay attention that the part of the costs the supplier may ask you to pay is realistic, also with regard to the percentage of the supplier’s total turn-over.
Many (mostly large) organizations send their suppliers a concept-Data Processing Agreement (DPA) to be signed for accordance, as a kind of take-it-or-leave-it deal. Included in this concept DPA are usually the requirements the organization has regarding Data Processing of personal data by her suppliers, including a set of mitigating measures the supplier is demanded to meet. Also, the responsibility for any and all penalties incurred due to non-conformance to the GDRP is transferred to the suppliers involved is usually a standard clause of the DPA.
One of the interesting aspects of these standard DPA’s is the fact that many organisations impose their idea of the way their supplier should uphold the principles of the GDPR on their suppliers. On the one hand, this is a very understandable move when considering the consequences of non-compliance, but doesn’t the client take the seat of the supplier when doing so? In this day of functional specification and Best Value Procurement this seems to be an odd move; the supplier is asked to become the Data Processor by means of being assumed to be the most suitable based on its expertise; therefore, he should be able to oversee the Processing of data, the risks involved and the required mitigating measures much better than the contracting party. Ideally, the contracting party should require the supplier to mitigate risk, but not how he should do so – leave this to the specialist: the supplier.
Way of working to ensure all Data Processing points will be covered by DPAs
Experience though our consultants, especially in large organizations, it will be a heck of a job to ensure all the required DPA’s are in place and signed by the suppliers. From this experience, we offer you some points of interest that might help an organization structure all efforts regarding the implementation of measures stemming from the GDPR-regulations, and, as such, have an as efficient way of working as possible. Do not start sending out DPA’s to suppliers, but start with:
- Mapping all the data processes concerning personal data that take place in, or one behalf of, your organization. Be sure to involve functional managers, product owners and other stakeholders.
- Map dataprocesses to applications, and consequently, map applications to suppliers. The aforementioned stakeholders are invaluable in this process. Be aware! It is not uncommon for an application to involve more than one supplier across the application stack.
- Do so for the entire organization. It is not uncommon, especially for organizations with multiple business units, for the aforementioned analysis-process is performed per business unit. Bundling of these efforts and their outcomes will lead to large synergies whilst getting DPA’s signed that are valid for the entire data processing landscape.
- Map per supplier all the data processing which takes place for your organization and include these all in the Addendum for the DPA. In doing so, one DPA is created that can be used for all contracts with the supplier in the organization. Do not forget to include in the information in the Addendum for which contracts the Addendum (and therefore DPA) is valid.
- Be sure to, before suppliers are contacted with regard to the DPA, install an effective consultation- and decision making structure in the organization regarding remarks and questions from the suppliers on the DPA. Make sure the conditions set by the organization in the DPA that stem from Article 26 of the GDPR-regulation are not being changed or lessened.
- Pair the signed DPA to existing contracts or signed quotations.
As a little extra for the contract manager, this course of action provides an opportunity to get reacquainted with the IT-landscape.