If it seems there has been a flurry of privacy updates and more talk around GDPR contract compliance, it’s for good reason. GDPR (General Data Protection Regulation) has actually been around since 2016, replacing the old data privacy laws that have found themselves outdated. Once it was recognized, it became mandatory that all companies ensure that they are fully compliant and meeting standards within two years. From May 25th of this year on, the rules and regulations set forth by the GDPR law are being followed accordingly.
Under GDPR, the law, “regulates the processing by an individual, a company or organization of personal data relating to individuals in the EU.” These rules apply to all EU countries, including Iceland, Liechtenstein, and Norway. It also applies to any country that does business with anyone who is in the EU. These rules do not apply, however, to any personal data that is produced for purely personal reasons (for example, sending out a birthday party invitation through email to your friends and family).
If any organization or company processes personal data for the means of their business purposes either in the EU or processes data from someone from the EU, then it is subject to GDPR laws. Alternatively, if you do not operate in the EU nor do you do business with anyone from the EU, then you are not subject to GDPR laws.
The purpose of GDPR is to make sure your prospects are more informed and in control of the data that your company is collecting on them. This means you need explicit consent to process any of their personal data. When someone submits their personal information, they are required to receive information about your company or whomever is processing the data, the purpose behind the data, and any other companies who would be receiving your data. You can see the full list on the EU’s website. If personal data does need to be collected, then that information should only be limited to what is necessary. All the information that an individual will be presented with needs to be “concise, transparent, and intelligible” and “drafted in clean and plain language.”
Essentially, companies need to prove that the data they collected has been consented by the individual and that the individual is fully aware of what is happening with their information. Companies need to make sure that individuals can easily withdraw their data. For some companies, depending on the data that is being processed and the type of organization, a Data Protection Officer (DPO) may need to be appointed. A DPO is required for public authorities and organizations that are processing sensitive data and systematic monitoring on a large scale.
There are large fines associated with failure to maintain compliance. While administrative fees will vary depending on the nature of the situation, they are not to be taken lightly. Some can be subject to $11.8M USD (10M EUR) or up to 4% of the total worldwide annual turnover of the preceding financial year.
No matter the type of contract you have, it's important to make sure that how the data is being processed is compliant. Review your contract terms and ensure that the terms are concise and transparent, and update them accordingly. It is also important that you understand how your vendors manage and protect their data. Doing business with someone who is not compliant under GDPR can affect your organization as well.
The main purpose of GDPR is to have a consistent way to monitor and protect data, so the security of your contracts will always take priority. Having a contract management software in place can help streamline the process through easy searching reporting, giving you a list of contracts you may need to focus on more than others.
It can be overwhelming trying to manage large amounts of data on your own. With the right tools in place, have a peace of mind knowing that your customer data is being protected and managed appropriately.