Gartner Analysts Will Explore GDPR Challenges at the Gartner IT Sourcing, Procurement, Vendor & Asset Management Summits 2018 in Orlando and London
GDPR imposes many requirements on data processors. These requirements include obligations to process personal data only on instructions from the controller, to inform the controller if it believes said instruction infringes on the GDPR, to notify data controllers of data breaches without undue delay, and to restrict personal data transfer to a third country unless legal safeguards are obtained.
“If you aren’t sure your suppliers meet all GDPR requirements, you need to rectify the situation immediately,” said Mr. Karalis. “Once existing relationships have been secured, you need to begin updating procurement processes to ensure GDPR requirements are built in for the future.”
The following nonexhaustive list is a great starting point for SVM leaders to set out expectations and requirements around GDPR in new contract negotiations:
- Definitions. Ensure definitions in your contracts reflect the revised definitions in the GDPR.
- Data breaches. If a data breach occurs, the vendor should notify you without delay after becoming aware of the breach. The vendor should be required to cooperate, investigate and remediate the breach. The vendor must also assist with any notifications required and work with the appropriate authorities.
- Data security. Assess if you need to use special measures such as encryption. Consider if you need to implement “data protection by design.”
- Data processing. Set up the vendor’s data processing to allow for the fulfilment of data subject requests. For example, all information that is necessary to demonstrate a vendor’s compliance with its processing obligations should be made available to you. All data processing activities that a vendor performs for you should be documented.
- Vendor cooperation. The vendor needs to support any audits that you perform or a third party performs on your behalf to verify the vendor’s GDPR compliance. The vendor must support any data protection impact assessments that you conduct.
- Dealing with fines. Per the vendor’s risk profile, consider if you need to modify the indemnities, limits of liabilities and other similar clauses to hold the vendor appropriately accountable for noncompliance with the legislation.
“Being explicit about what you need from vendors is critical,” said Mr. Karalis. “Moreover, it’s important to explain the implications of key GDPR clauses to your stakeholders as well as to your suppliers.”