At the IAPP Europe Data Protection Intensive in London recently, attendees experienced an entertaining and creative session where the EU General Data Protection Regulation was personified to assist a data controller and a data processor in a very lively contract negotiation.
In this role-playing game, "M. Hardbargain" was the hypothetical data controller, played by Promontory's John Bowman, CIPP/E, and "Mrs. Notsocool" was the hypothetical data processor, played by Nathalie Laneret, CIPP/E, CIPM, who is group data protection officer for Capgemini. The two were negotiating contractual terms on the phone in order to finalize their future collaboration on “Big Cloud Chain of Intelligent Things,” in compliance with the new provisions of the GDPR.
The role-play provided for discussions around 10 topics: data protection impact assessment, security measures, audit, data breach notification, liability, data transfers, Brexit, sub-processors, assistance, deletion of data at the end of the contract. The personified GDPR was played by Stephanie Faber, author of this article and head of Data Protection Commercial & IT at Squire Patton Boggs, before a sympathetic and amused audience. A lively and intense Q&A session followed on how to handle controller and processor relationships in the most GDPR compliant and pragmatic manner.
The session revealed the challenge of applying the GDPR's provisions, resulting in most cases in controversies, disagreements or even downright arguments, exacerbated by the negotiation environment, where each party was trying to leverage the relevant provisions to their full extent to meet their respective business objectives.
Some of the takeaways were:
- Do not think that you are the only one facing stumbling blocks when trying to comply with GDRP requirements in your contractual relations with a controller or, as the case may be, a processor. We are all having a hard time on both sides of the table.
- The liability and obligations of processors have really changed, and the GDPR allows for less flexibility and new challenges in the contract negotiations.
- The contract between the processor and the controller is not just a check-the-box exercise. It is a real contract negotiation that requires both data protection and contract law expertise, as well as contract negotiation skills.
- The GDPR does not deal with contractual liability of the parties toward one another, meaning that it does not say whether the processor can limit its liability or whether one party can require full indemnity from the other.
- GDPR requirements have to be weighed against the processor’s business models (for example in relation to contractual liability), which also has an impact on price or the processor’s own security concerns (for example in relation to the risk caused by potentially numerous audits by all its clients). The clients should be able to make a risk assessment.
- The concept of “transfer” is much wider than some stakeholders expect it. Even if it is not defined in the GDPR, it includes notably technical access by IT maintenance teams. Therefore, it is not all about the location of the servers.
- There can be a fair deal of debate on the extent of the processor’s obligation to “assist” the controller (as per Article 23 of the GDPR) and notably in relation to DPIAs. One thing is certain, however: It is by definition limited to “ the information available to the processor.”
- The timing of data breach notification by the processor to the controller is often a topic of disagreement.
- The client needs to prepare for the consequences of Brexit if its processor has teams processing data in the U.K.
- A line can be crossed very quickly, where the processor intends to use and keep the data for its own purpose(s), it will be deemed a data controller for this/these use(s)
- And finally, role-play is good training material.
If you want to comment on this post, you need to login.