Retail & Data Protection – Article 3: Managing risk in contracts

Retail businesses rely on a vast ecosystem of vendors to deliver services, store data and generally support operations.

From a privacy perspective many of these suppliers act as data ‘processors’, handling personal data on behalf of the retailer (the ‘controller’) which triggers legal and regulatory obligations under data protection laws. Importantly, controllers cannot contract out of data protection laws and remain primarily liable for regulatory compliance.

More and more, businesses are exposed to significant privacy and security risks through their suppliers, but often lack the contractual protections needed to manage those risks effectively. It has become a regular occurrence to see ‘processor’ breaches in headlines, and unless organisations manage contractual risk through appropriate protections they may find themselves without a remedy when things go wrong.

This article aims to provide a quick overview on the privacy risks involved in supplier contracts and how effective negotiation can help mitigate compliance risks.

1. Mandatory clauses required under the UK GDPR

Article 28(3) of the UK GDPR is a starting point of reference for the minimum legal obligations which apply when a controller engages a processor to undertake data processing activity. For example, if a retailer contracts with a marketing platform provider, this is likely to be a controller to processor relationship which requires certain provisions to be included in that contract. These include that the processor must process data only on documented instructions of the controller, maintain confidentiality, and implement appropriate security measures to protect the data, amongst other obligations. While the full list of requirements is extensive, the main purpose is clear: to ensure personal data is handled lawfully and securely by suppliers so as to ensure appropriate protection of personal information.

Although these elements may be seen as legal formalities, they should also be seen as practical safeguards to ensure that personal data is processed securely, and that controllers can see how it is handled.

2. Using the data processing agreement as a tool

It is important that retailers recognise Article 28(3) as a risk-management tool, and not just a regulatory requirement. These mandatory clauses often give a controller greater rights than those under any principal services agreement, which are generally open to negotiation between the parties.

For example, although vendors generally want to restrict the rights of their customers to audit their compliance, premises and IT infrastructure, Article 28(3) is clear that processors should allow for and contribute to audits, the scope of which is generally subject to negotiation in the contract. Often, these audit clauses are included, but not exercised, but can nevertheless be used to promote contractual compliance and best practice.

Article 28(3) also requires processors to adopt technical and organisational measures appropriate to the risk posed by the relevant processing. This clause can lack clarity and the best contracts are more prescriptive on minimum security standards; for example, encryption of data at rest and frequency of penetration testing on any IT system. Contracts can also specify minimum technical standards or include references to established frameworks such as the ISO 27001. Investing the time to obtain these types of commitments can help retailers convert vague obligations into measurable indicators.

3. Liability and data breaches

Whether liability and indemnities are included in a principal agreement or in a data processing agreement, liability for data protection law breaches is the subject of much debate between controllers and processors. Retail businesses contracting with data processors naturally will expect suppliers to stand behind their product, their security measures and ultimately bear the financial consequences of a data breach caused by the relevant processor.

Signing standard terms and conditions generally will mean the relevant processor’s liability will be heavily capped to the point that retailers will not be able to recover their losses in the event of a breach under that contract. It is important to consider this issue from the outset of a commercial relationship as early discussions of risk allocation are more likely to foster agreements which are commercially feasible and ensures the appropriate legal protections are in place.

There are many facets to constructing and negotiating an appropriate liability cap in any agreement, which is by no means a one-size-fits all, and often requires legal input.

4.Good governance

Governance often dictates the success of any contract. A carefully crafted contract does not eliminate the possibility of issues arising, and ongoing monitoring is essential. From a privacy perspective, conducting regular service level and security reporting, along with governance meetings including people of appropriate seniority and knowledge of the subject matter from each organisation, all helps to track compliance of both the main agreement and data processing agreement.

Ultimately, it is open communication and shared responsibility which ensures the good governance in the supplier relationship and reduces the likelihood and impact of breaches.

Key takeaways

Rather than seeing a data processing agreement as a tick box exercise, a more effective approach is to view the whole contract holistically, seeing it as a tool made up of all these different components, accurately defining important rights such as audit and security measures and making sure that liability is comprehensively addressed. Good governance completes this whole process as it ensures that privacy obligations are properly supervised and implemented throughout the lifecycle of the agreement.

If you would like any further guidance on legitimate interests processing or any advice on privacy, contracts or AI, please contact one of our experts.

This article is the second in a series exploring privacy and data protection in retail. Take a look at the other articles here.

Article 1 – Why retailers should be talking about privacy

Article 2 – Legitimate interest processing – how can retailers stay on the right side of compliance?