The new General Data Protection Regulation (GDPR) came into effect May 25th of 2018. It’s meant to protect EU citizens’ data privacy and puts new demands on how businesses approach data privacy. Your contract management process might be in need of review to ensure compliance with the new regulation.
With the General Data Protection Regulation comes higher demands on companies that manage personal data. Both if you’re a “controller”, deciding the purpose and manner of which personal data is being used, or a “processor”, handling personal data on behalf of a controller.
The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years
Failure to comply with the GDPR potentially brings hefty penalties. Up to as much as €20 million or 4 % of the global turnover to be exact. Despite this, some companies still need to redesign their contract management process to ensure GDPR compliance.
GDPR & Contract Management
With higher demands on your business comes higher demands on the systems and solutions that you’re using. Your contracts might contain personal data, meaning that they might be subject to the new regulation. With this in mind, it’s important that your contract management solution helps you become and stay compliant.
To help you on the way, we’ve listed five key features that your contract management software needs in order to support you on your way towards GDPR compliance.
1. GDPR & contract storage
Data security is already important to both you and your clients, but the GDPR might clarify or add certain requirements. Article 5 of the regulation states that you must have protection against e.g. unauthorized entry and accidental loss or destruction of personal data.
In order to achieve this, you will want to gather all of your contracts containing personal data, but preferably all of them, in one (and as further described below, secure) place. Essentially, minimizing the number of systems containing personal data (e.g. in contracts) will make it easier to comply with the new legal requirements.
“… [S]trangely many companies don’t have a single defined repository, even with GDPR and other regulations virtually demanding it.”
Apart from keeping your contracts in one place, you will naturally want a secure platform for storing all your contracts containing personal data. You can achieve this by using a solution with Transport Layer Security and a high-grade crypto-suite, to make sure your data is transmitted safely. Furthermore, you will want to ensure that your cloud-provider maintains a high level of physical security, which can often be fulfilled when your contract management solution is hosted in secure data centers.
Being able to limit internal access and setting up workflow-related security measures is also important. Consequently, you should look for features such as automated approval workflows, different user-level access permissions and – of course – two-factor authentication for accessing the system.
2. Easy data access
The GDPR also aims to protect fundamental rights and freedoms of natural persons, which in non-legalese means that people whose data you’re handling will have more extensive rights.
By now, you’ve probably heard about the right to be forgotten and the right to data portability. In order to ensure compliance with these rights, your contract management solution needs to make it easy to identify and erase contracts containing personal data. This can, for instance, be achieved with powerful searching and filtering features, which will help you find the contract you’re looking for, quickly. To state the obvious, the lack of search capabilities is also one of the most important reasons to say goodbye to your physical binders 🙂 Not least in light of the new regulation.
3. Contract authoring equals control
As previously mentioned, the GDPR brings more responsibilities for your company in terms of managing personal data. The processor who conducts data processing activities on your behalf is still held responsible if they act outside of the authority granted by you (and vice versa). You will, consequently, want to make sure that your third-party processor’s activities are compliant.
With this in mind, it’s important that areas such as the processor’s obligations are clear as a day. This puts higher demands on the contracts that you use with anyone managing personal data on your behalf.
Therefore, we recommend that you use a contract management software with state-of-the-art contract authoring capabilities. What to look for here is, inter alia, the abilities to
- set up templates in a central repository, including standard clauses and fallback options, to be used for the whole organization, and
- determine rules for the end-users to make changes in contracts (which often is combined with an interview-based way for end-users to draft contracts, instead of copy-pasting in a rich-text editor).
4. E-signatures make GDPR compliance easier
On top of contract authoring capabilities, a solution containing advanced e-signatures will make compliance even easier. At least in two regards. First and foremost, the new regulation specifies strict criteria for gathering consent to process an individual’s personal data. As the individual’s consent has to be unambiguous, informed, specific, freely given, and documented, e-signatures can enhance your ability to fulfill the requirements. Especially as the e-signatures make it easier to capture consent immediately at the point of data collection.
Second of all, the new regulation stipulates certain conditions for contracts between data controllers and data processors (e.g. a system provider that processes the personal data you control). Many businesses are therefore required to update their data processing agreements with third-party suppliers. Together with the contract authoring abilities as described above, advanced e-signatures can streamline the process of updating the contracts to meet the GDPR requirements. Besides accelerating the signing process, e-signatures will give you total visibility of the status of each contract and who has yet to sign.
5. Contract event tracking
Time is another important aspect of compliant GDPR contract management. Since it’s also stated in article 5 of GDPR that data should not be processed for longer than is necessary to fulfill the purposes of which it is processed, you will want to track certain events in contracts. Furthermore, an engine with smart reminders for the tracked events is preferred.
Using a solution with event tracking throughout the entire contract lifecycle can help you a great deal. You can use event tracking to minimize the time of your personal data processing, but also help you keep track of other due dates such as obligation reporting, contract renewals, and renegotiations.
GDPR & Contract Management Systems
In conclusion, using a powerful contract management system with the features mentioned above can help you in ensuring GDPR compliance. This is especially important to have in mind since an inadequate system could damage your business or lead to a lot of unnecessary manual contract related work. Because of this, it’s important to review your current contract management process.
Our lawyers wanted to add a disclaimer, so here it is: This article is for informational purposes only and is not intended to provide or constitute legal advice of any kind. The accuracy of the information in this article is not warranted or guaranteed. You should not act or rely on this information without consulting a legal professional. You should consult a legal professional in the relevant area if you are in need of legal advice.