There is a constant stream of information coming out about GDPR – the General Data Protection Regulation – most of it with a sense of urgency, if not doom, about it. A recent article by Efficio, one of the valued organizations in the DetermineAlliance Partner Program, laid out a very clear and rational explanation for how to approach GDPR compliance. In essence, you need to see where your risks are so you can plan for them.
Penalties for non-compliance can be up to €20 million or 4% of annual global turnover – whichever is higher.
This fact gets a lot of airtime. And it should – it’s a stiff penalty by any measure. While the need for compliance is the biggest factor on any companies’ to-do list, there are also advantages in terms of building customer trust and enhancing organizational reputation. What follows are three ways contract lifecycle management can play a key role in ensuring your organization is ready on the May 25, 2018 deadline.
- Review of your third-party agreements with suppliers and vendors that have access to your EU personal data to ensure those agreements comply with the GDPR.
While there is a delineation between data controllers and data processors, your company as the controller (or owner?) is responsible overall. According to Efficio, the first step is to know which of your third parties is affected by the GDPR rules, and what you want the outcome of the contract relationship to be. A CLM or contract management solution – especially if it is linked with a supplier management solution sharing integrated data – would make this task simple with one-click access to all supplier contracts in the enterprise repository.
This allows you to quickly determine the precise flows of personal data across your supply chains in order to see who has access to that data, all the sub-processors and where data is actually being processed. In other words, where are the potential greatest risks. From there you can review each suppliers’ data protection provisions, as well as highlight which ones are in need of more stringent risk profile criteria.
- Items that you must include in contracts with suppliers who have access to EU personal data based on Article 28.
There are a lot of articles in the GDPR, but not always a lot of clarity about them. Article 28 is one of those that is comparatively straightforward. It states that any suppliers (processors) with access to applicable data must provide sufficient guarantees that they have appropriate technical and organizational measures in place to meet GDPR requirements. And that it must all be detailed in a binding contract. If that vendor wants to enlist a subcontractor, the controller company has to approve everything first, and in an ongoing fashion. That means your third-party risk has third-party risk potential as well, all of which needs to be monitored. There is no way to effectively do this without contract lifecycle management in place.
Contract Management, like Determine’s for instance, should enable you to control multiple contract families, types and extensions. Including real-time master data and metadata integration is necessary to achieving the transparency – and risk management – that the GDPR demands for your data inventory. You can’t manage what you can’t see – as long as you have the tools to know exactly what’s in your contracts you’ll be able to ensure that new requirements are in there, from 72-hour data breach notification to data protection impacts and the ultimate return of data.
- Prioritizing your GDPR strategy to ensure compliance when the time comes.
According to IAPP research – the non-profit global information privacy community – approximately six in 10 organizations report they will not be in full compliance with the GDPR when it comes into force. It is admittedly a massive task to achieve compliance, but even so, that is a huge percentage of companies that are going to risk the consequences. There aren’t really best practices yet, but developing a risk triage approach will help go a long way to meeting requirements.
It starts in-house, by working with enterprise legal teams to ensure contracts include protection against GDPR-related risk. It also means categorizing suppliers so you can work with them in the right order of priority on issues like liability, indemnities, adequate protections, and so forth. This of course means knowing with suppliers are most exposed to the regulations, and which are most business critical. A robust CLM provides that information as a matter of course. That could be the reason why, after training, the most likely response to GDPR risks in the IAPP research is investment in technology. There’s been a spike in companies using vendor management systems, and those considered “most thorough” include contract management to ensure proper compliance.
Organizations of all sizes are scrambling to with GDPR compliance mandates, and will continue to do so even after the May 25 deadline. Now, if you are based in the UK under the looming cloud of Brexit, how does that add to the complexity? The word “exponential” doesn’t begin to describe it.
Successfully managing all of this without a comprehensive CLM solution that aligns people, processes and data internally, enables transparency of third-parties and their inherent risk, and provides a large measure of process automation, is next to impossible. In fact, it is impossible.
Whatever level of GDPR compliance you’ve achieved so far, schedule a personalized demonstration of Determine Enterprise Contract Lifecycle Management – and / or Supplier Management.