What is trending in data protection this autumn is advice on what to tell clients and prospective clients about the organisation’s GDPR compliance. As part of their own GDPR compliance, clients and prospects want some assurance that GDPR issues have been addressed and that service providers and partners will continue to operate in a way consistent with GDPR compliance.
Audit and certification
Some clients ask for audits or certification that appropriate controls are in place. Currently there is no official GDPR certification scheme in place in the UK. GDPR provides for national supervisory authorities (the Information Commissioner’s Office in the UK) to develop such schemes (Article 42) so these may be introduced in the future. As many businesses are still working towards GDPR compliance in the UK and paying the costs associated with that, it may be a bit premature to require a full audit of compliance at the service provider’s expense. If asked to commission an audit by a client, a good tactic is to make the point that the GDPR implementation programme is still underway and offer an audit by May 2019, although this is not likely to be acceptable to prospective clients who are still to commit to place business with the organisation.
Responses to Tender
To help prospective clients to meet their obligation to check the compliance of service providers and possibly forestall requests for audits, it is recommended that a suitable form of words be included in responses to tender. The tenderer should provide assurance that it understands the legal framework of GDPR and has addressed the compliance issues. The organisation’s Data Protection Policy may be included in response to tender to help bolster this position. It may be necessary to provide more information if further enquiries are made so it is worth considering in advance what further materials could support the organisation’s position on GDPR compliance, for example a detailed GDPR compliance plan showing the steps taken to achieve compliance and those yet to be taken, so that readers are given a clear picture of the state of data protection compliance at the organisation. Currently (Autumn 2018) it would also be advisable to address Brexit issues if relevant.
Up to date contracts
Finally a GDPR compliant contract either for data sharing or data processing is essential. The content of the data processing agreement is stipulated in GDPR (Article 24) but both agreements should have been updated for GDPR to ensure that references are up to date (references to the Data Protection Act 1998 could seriously undermine your compliance position at this stage!) and to reflect the increased accountability requirements of GDPR. Templates of the new wordings can be obtained from a variety of sources although these are still paid-for services, there are no free downloads around yet.
Appoint a central contact for data protection
As a final point, data protection compliance is easier if someone takes the lead at the organisation. It should be a senior person and they need training to understand the legal framework and be able to apply their knowledge to normal business activities at the organisation. Providing contact details for a central contact on data protection will help provide assurance to clients and prospective clients that you have their back on GDPR!
When extra resource is needed
Remember that all of these activities can be undertaken by your in-house team or they can be outsourced to lawyers or consultants. A possible halfway solution can be to use consultants to set up the framework and train your in-house team to keep tender issues under review. Difficult questions can always be referred back to consultants and legal advisers if the in-house team don’t have all the answers.