Managed services contracts to be re-written under GDPR
While the headline fines under GDPR of up to 4% of global turnover attract attention, the managed services industry will face some costly obligations and detailed contract provisions from next year. In many ways, managed service providers come into the compliance process for the first time, says Renzo Marchini, partner in legal firm Fieldfisher. Talking at the Managed Services and Hosting summit in Amsterdam on April 25, he outlined the changes in business relations with customers which are likely to become a new global standard for the IT industry.
Looking at the European IT industry, he says that contracts for managed services providers currently are very light on provisions. Major customers may have their own riders in their deals with providers, but in practice, all that is required by the current directive is that service providers take “appropriate measures”. GDPR will change the landscape for managed services contracts and there will be a lot of new clauses that will have to be included.
For example: required clauses now are on provisions to take “appropriate security measures” and act only on controller instructions
Future Additional clauses under GDPR will mean:
- Controller control over sub-contracting (sub-processing).
- Notification of data breaches and assistance responding to them
- Audit rights
- Assistance responding to data subjects exercising their rights.
- Deletion/return of personal data on termination
Customers will be insisting having audit rights, control of subcontractors, even over which vendors of solutions are acceptable. They have a right to object to certain vendors and all this needs to be covered in the contract, and the list of provisions will expand.
“The big sea-change for managed service providers is that controllers – as currently defined by data protection law as the ones who make the decisions about the data are currently just the customers. In future, that will change as the EC has recognised that the customer being in charge is a fiction – big entities supplying the service are actually in charge of security. So there will be provisions to examine the processes for security and ensure compliance by suppliers.”
“The other point is that there is a much wider scope for what is protected date and needs to be considered. Now it covers personal data, rather than the device. But cookies, IP addresses, and most other details about an individual will come under the regulators for the first time, and even anonymised data will face compliance hurdles,” he says.
And being a US business is no escape, even as a vendor. Territorial scope is widened – even global companies are now included in the European rules as a non-EU business selling into the region or monitoring data in Europe will come under the rules. “GDPR is fast becoming the global standard. Another reason for this is that global players will want to have the same information management protocols across their organisation.”
“When are you subject to data protection rules? If you just supply a physical data centre, you are probably not part of it.”
No longer should there be just compliance per se – organisation currently may just need to show compliance and make filings with the regulator. GDPR suggests that these filings will be replaced by internal record keeping. The new GDPR rules may change this, but it is not yet clear if the individual countries and regions will drop the need for filings. “We do not expect the UK to retain filings,” he predicted, but Germany may.
Data protection officers will be needed to show that organisations are complying and embedding a culture of privacy. Privacy by design is to be seen as good practice and built into projects from the start, so developers are affected. Under GDPR , there will be an obligation to include this for the first time, with privacy as a default. They will need to show why data is collected, the scope of the data and what is excluded.
A privacy impact assessment is currently rarely seen, but will become essential for controllers of data and service providers dealing with “high risk” data. And all this needs to be recorded and shown to be compliant as regulators can ask to see it. The legal basis for data will check that only the required data is being collected, and nothing more.
Fieldfisher is already involved in setting up systems to deliver this: “Clients are asking us to formalise the systems. Technology providers are also starting to deliver solutions to do this monitoring.”
There is a lot of extra work: if any enterprise is facing a high risk of data loss impact, then the regulator will need to be consulted. And a new group of people will emerge - data protection officers – the test in Germany is currently one for every ten people processing data – but this is likely to become a formal requirement if certain criteria are met. These include public authorities or anyone doing large scale monitoring of individuals such as advertising, tracking CCTV images, or using sensitive data such as health or political data. This is already an outsourced business in Germany because of the one to ten rule, he said.
“Special HR rules apply to Data protection officers who cannot be fired for giving advice the business owner doesn’t like. The DPO are supposed to be impartial.”
At the moment there is not general obligation to tell anyone if there has been a data breach, except in Germany and Austria. But this will change, and organisations will have to tell those affected without delay. So there are some key questions for dealing with processing of personal data in managed service deals
The analysis is not really different…but the effects are.
Under the current regime:
Data controllers are responsible for requirements.
Maximum fine for non-compliance £500k.
No liability for processors except pursuant to their contractual arrangements with a data controller.
Under the GDPR:
Processors have liability at law; not just under contracts.
Article 28 sets out a long list of requirements that must be included in contracts between controllers and processors, and processors have even less discretion as to how they can conduct processing activities.
Most data centre operators are acting as data controller with respect to the personal data that they actually process.
Individuals have enhanced rights including data portability and the right to be forgotten.
GDPR will be examined further at the London Managed Services and Hosting Summit on September 20th. More details here