GDPR: Time to make that change

Few lawyers in the country are busier right now than specialists in Privacy law.

Unless you’ve been hiding under a stone, you’ll be aware that the EU’s new General Data Protection Regulation (GDPR) will come into force in May 2018. CIO UK has written about GDPR extensively (and talked about it – check out my colleague Annabel Gillham on episode 2 of the CIO UK podcast) and my firm, MoFo, has a GDPR Readiness Center providing details about the changes.

So there’s plenty for CIOs and their advisers to do to get GDPR-ready. Some changes will be internal, others external in terms of relationships with other entities who handle data.

One of the potentially time-consuming problems is how to go about agreeing new contract provisions in relevant agreements – many of which may have been in place for years. You want to make sure that your agreements comply with GDPR, of course, and it’s relatively easy to draft a set of terms that comply and impose appropriate handing obligations up and down the chain of any given data flow.

Going forward, you just simply start to put those terms in new contracts. Easy, right? But what do you do with existing contracts? How do you persuade your customer or supplier or partner to accept the new terms?

Maybe you follow the lead of the UK government which told all government departments simply to make unilateral changes to their government contracts to comply with GDPR with effect from 25 May 2018 (the effective date of GDPR). And the official policy is that all costs of compliance with the new rules should be borne by the contractor and not passed through to the government. It’s not clear how the UK government intends to implement these contractual changes given that, in almost every case, the terms of the relevant government contracts don’t allow for unilateral contract variation. So how do you make unilateral changes to a mutually agreed contract? Well, generally you don’t and can’t – which leave the government in an interesting position.

(It’s possible that this approach was inspired by those within government who similarly felt that a successful Brexit was simply a matter of the UK telling the EU what terms we wanted to apply. It doesn’t seem to be happening like that.)

In some areas of commercial life, unilateral contract variations are possible – at least in theory. While custom and practice – and, indeed, basic contract law – requires mutual agreement for a bilateral business-to-business contract, it’s not unusual to follow a different course for one-to-many, business-to-consumer contracts such as terms of use, mobile app terms or software licences.

Many organisations face the problem of needing to update online terms and most choose some mechanism that alerts users to changes, gives them the option to download new terms and allows users to cease using the service if they don’t agree with the change. But the assumption is that future use constitutes assent.

To a large degree, under UK law, that ought to work – although the more material and adverse a change is the harder it becomes to justify it as reasonable, and changing terms that apply to a free service is easier than changing terms that apply to a paid-for service. It gets trickier on pan-European terms because other countries, especially Germany, have much tougher rules on unilateral contract changes, so consistency of approach becomes harder to maintain.

GDPR will throw an even greater spotlight on the validity of privacy-related terms. Organisations routinely evolve their uses of historic data to cover new forms of processing – as they consider adopting AI or machine-learning, for example. But the recent revelations about Cambridge Analytica’s use of personal data shows how important it is both to understand precisely what use is made of data and to have (and respect) the terms that apply to all uses.

You can’t fault the Crown Commercial Service’s sense of compliance in telling UK government departments to go through the process of identifying existing contracts that involve the processing of personal data and then write to all contractors notifying them of the changes that are intended to be made to relevant contracts to bring them in line with the new data privacy rules.

In the run-up to GDPR, government departments – like all data users and controllers – will be expected to conduct due diligence on existing contracts to ensure that their contractors and partners are implementing the appropriate technical and organisational measures necessary to comply with GDPR (i.e., to provide guarantees of their ability to comply with the new regulations). As well as updating relevant contract terms, it may also be necessary to modify service specifications, statements of work and service delivery schedules to set out clearly the roles and responsibilities of data controller and data processor.

But having done the hard work of identifying what changes are necessary, it’s also important to work out how to make those changes and to make sure that the changes get implemented at the right time. Life’s not like Brexit: you can’t simply tell the other party that you’ve decided to change and here are the terms that will apply in the future. Oh, hang on – maybe Brexit’s not like that either…