Do Your Commercial Contracts Need A Health Check?
Commercial contracts and terms and conditions for the supply of goods/services (T&Cs) are a vital part of any business and it’s important to ensure that these documents are maintained and updated to reflect changes in legislation.
The implementation of the General Data Protection Regulations (GDPR) on 25 May 2018 is a prime example and is a major shakeup for many UK businesses. So if you haven’t had time to address GDPR yet, it’s likely that your T&Cs will need a health check!
Complacency can be highly costly
In order to give the GDPR the gravity that data protection deserves, the Government has adopted a range of enforcement powers, which, in some cases, could prove devastating for businesses in breach.
The risks of not updating your T&Cs to ensure that they are GDPR compliant, are that your business may be subject to:
- suspension of data processing
This is the most important sanction to be aware of for companies operating in the tech sector, as the ICO has the power to temporary or permanently stop businesses from processing data. For companies that rely on processing data as a major part of their business operations, this has the potential to stop those businesses from trading all together.
- investigations by the Information Commissioner’s Office (ICO)
The ICO can undertake investigations which may result in the issuing of warnings and reprimands, ordering the rectification, restriction or erasure of data and the suspension of data transfers to third countries.
The recent action taken against Cambridge Analytica shows that the ICO is not afraid to get her hands dirty or use her wide ranging powers. It’s likely that action by the ICO will only increase following the implementation of the GDPR;
- administrative fines
Businesses may be fined the greater of €20,000,000 or up to 4% of annual global turnover for certain breaches. You certainly wouldn’t want to be caught by this!
- litigation and court proceedings brought by individuals
Under the GDPR, individuals have the right to compensation resulting from a data breach. With this new right, we may also see a new type of in class action emerging.
- considerable negative press
As we have recently seen with Facebook, breaching data protection (or even alleged breaches) can cause major PR issues. Facebook’s shares fell by a staggering £35million following the Cambridge Analytica incident.
Doing nothing is simply not an option as it is unlikely that your existing agreements will contain the compulsory provisions required by GDPR.
So which provisions of your commercial contracts and terms and conditions may need to be reviewed?
1) Data Protection Provisions
Data protection provisions are certainly a good starting point for updates. The GDPR requires contractual terms between controllers and processors which address, (amongst other things):
- the security of personal data;
- what the personal data is being used and processed for;
- the rights and obligations of the processor;
- the requirements to return or delete personal data when the provision of the services has ceased; and
- on what basis sub-processors can be appointed by the processor.
2) Definitions and Terminology
The GDPR also includes certain updates to definitions previously incorporated by the Data Protection Act 1998. Each related definition in your T&Cs will need to be carefully reviewed and amended to reflect the updates in the GDPR. You may also need to include additional definitions not previously incorporated by the Data Protection Act 1998, in order to be in compliance.
3) Limitation Provisions and Indemnities
As discussed above, following the implementation of the GDPR, individuals will have greater rights to bring actions against companies and businesses for breach. The ICO will also have greater enforcement powers. It is, therefore, important to review any limitation provisions in your T&Cs to ensure that your business is best protected from any increased exposure.
Just like limitations, indemnities are a form of protection that may need to be reviewed to ensure that your business has contractual rights to recover loss, costs and expenses that may be incurred as a result of a breach by a third party, supplier, customer or user of your website.
4) Insurance
Depending on the type of business you operate, you may also wish to review any insurance provisions and obligations in your commercial contracts to ensure that the increased liability created by the GDPR is covered.
Ensuring that your commercial contracts and terms and conditions are up to date is important in any circumstance and its good practice to periodically review them and incorporate any necessary updates as a result of changes in legislation.
At Myerson, we have a team of GDPR experts and specialist commercial contract solicitors who have a wealth of knowledge in advising clients on a wide range of commercial contacts and terms and conditions.
We provide clients with varying levels of commercial contract health checks from a simple review and report, to undertaking business wide audits and making active and extensive contract updates to best protect our clients.
If you would like further information on our commercial contract health checks and/or GDPR and how we can assist your company and business, please call us on 0161 941 4000 or email lawyers@myerson.co.uk and ask to speak with our specialist commercial contracts and GDPR team.