GDPR & Contract Management – 6 Must-Have Features
The General Data Protection Regulation (GDPR) came into effect May 25th of 2018. It’s meant to protect EU citizens’ data privacy and puts new demands on how businesses approach data privacy. Is your contract management process set up to ensure compliance with the lastest regulation?
The General Data Protection Regulation imposed higher demands on companies that manage personal data, both if you’re a “controller” — deciding the purpose and manner of which personal data is being used, or a “processor” — handling personal data on behalf of a controller.
The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years.
Failure to comply with the GDPR potentially brings hefty penalties — up to as much as €20 million, or 4% of the global turnover to be exact. Despite this, some companies still need to redesign their contract management process to ensure GDPR compliance.
GDPR & Contract Management
With higher demands on your business comes higher demands on the systems and solutions that you’re using. Your contracts might contain personal data, meaning that they might be subject to the regulation. With this in mind, it’s important that your contract management solution helps you become and stay compliant.
To help you on the way, we’ve listed six key features that your contract management software needs in order to support you on your way towards GDPR compliance.
1. GDPR & contract storage
Data security is already important to both you and your clients, but the GDPR might clarify or add certain requirements. Article 5 of the regulation states that you must have protection against, among other things, unauthorized entry and accidental loss or destruction of personal data.
In order to achieve this, you will want to gather all of your contracts containing personal data, but preferably all of them, in one (and as further described below, secure) place. Essentially, minimizing the number of systems containing personal data (e.g. in contracts) will make it easier to comply with the new legal requirements.
"… [S]trangely, many companies don’t have a single defined repository, even with GDPR and other regulations virtually demanding it."
Apart from keeping your contracts in one place, you will naturally want a secure platform for storing all your contracts containing personal data. You can achieve this by using a solution with Transport Layer Security and a high-grade crypto-suite, to make sure your data is transmitted safely. Furthermore, you will want to ensure that your cloud-provider maintains a high level of physical security, which can often be fulfilled when your contract management solution is hosted in secure data centers.
Being able to limit internal access and setting up workflow-related security measures is also important. Consequently, you should look for features such as automated approval workflows, different user-level access permissions and—of course—two-factor authentication for accessing the system.
2. Easy data access
The GDPR also aims to protect fundamental rights and freedoms of natural persons, which in non-legalese means that people whose data you’re handling will have more extensive rights.
By now, you’ve probably heard about the right to be forgotten and the right to data portability. In order to ensure compliance with these rights, your contract management solution needs to make it easy to identify and erase contracts containing personal data. This can, for instance, be achieved with powerful searching and filtering features, which will help you find the contract you’re looking for, quickly.
To state the obvious, the lack of search capabilities is also one of the most important reasons to say goodbye to your physical binders. Not least in light of the new regulation.
3. Contract authoring equals control
As previously mentioned, the GDPR brings more responsibilities for your company in terms of managing personal data.
The processor who conducts data processing activities on your behalf is still held responsible if they act outside of the authority granted by you (and vice versa). You will, consequently, want to make sure that your third-party processor’s activities are compliant.
With this in mind, it’s important that areas such as the processor’s obligations are clear as a day. This puts higher demands on the contracts that you use with anyone managing personal data on your behalf.
Therefore, we recommend that you use a contract management software with state-of-the-art contract authoring capabilities. What to look for here is, inter alia, the abilities to
- set up templates in a central repository, including standard clauses and fallback options, to be used for the whole organization, and
- determine rules for the end-users to make changes in contracts (which often is combined with an interview-based way for end-users to draft contracts, instead of copy-pasting in a rich-text editor).
4. E-signatures make GDPR compliance easier
On top of contract authoring capabilities, a solution containing advanced e-signatures will make compliance even easier. At least in two regards.
First and foremost, the new regulation specifies strict criteria for gathering consent to process an individual’s personal data. As the individual’s consent has to be unambiguous, informed, specific, freely given, and documented, e-signatures can enhance your ability to fulfill the requirements. Especially as the e-signatures make it easier to capture consent immediately at the point of data collection.
Second of all, the new regulation stipulates certain conditions for contracts between data controllers and data processors (e.g. a system provider that processes the personal data you control). Many businesses are therefore required to update their data processing agreements with third-party suppliers.
Together with the contract authoring abilities as described above, advanced e-signatures can streamline the process of updating the contracts to meet the GDPR requirements. Besides accelerating the signing process, e-signatures will give you total visibility of the status of each contract and who has yet to sign.
5. Contract event tracking
Time is another important aspect of compliant GDPR contract management. Since it’s also stated in article 5 of GDPR that data should not be processed for longer than is necessary to fulfil the purposes of which it is processed, you will want to track certain events in contracts. Furthermore, an engine with smart reminders for the tracked events is preferred.
Using a solution with event tracking throughout the entire contract lifecycle can help you a great deal. You can use event tracking to minimize the time of your personal data processing, but also help you keep track of other due dates such as obligation reporting, contract renewals, and renegotiations.
6. Data minimization and accuracy features
When drafting contracts, you’re always gonna have to collect information about your counterparties. But there is a way to ensure that your data collection happens in the most GDPR compliant way possible. What should you be wary of when choosing a SaaS vendor? That’s where data minimisation and accuracy come into play. Data minimization refers to the idea that a vendor should collect as little data as is necessary, and the data should be as accurate as possible.
So, as a starting point for your compliance, you need to know what data is asked from you. For example, does the system ask you for more information regarding your user account than needed? This could be asking you for a profile photo or a description of yourself, although it might not affect the usability of the product.
The second thing to look out for is can you control the input fields in the product when the people in your company are using it? Below, we describe a few features that may help your internal compliance when it comes to choosing a CLM (or any system, really).
Privacy By Design and Default:
When you are looking for a SaaS or cloud providers, you want to find one that is developed with “Privacy by design” and “Privacy by default” in mind. Both concepts have many things in common, but the main thing is that both are a technique for controling the personal data that is processed.
To give you examples, here are some valuable Privacy By Design features in our Precisely platform:
- Limited personal information collected for account set up (only your email address and name)
- Ability to control input fields in contracts (questionnaire) by use of
- Multiple choice
- Numeric only
- Free text
- Multiple choice
- Ability to provide clear helping text to any free-text field
- Ability to set strict access policies to documents containing personal information
- Metadata tagging allowing you to
- Filter in archive on individuals to identify where they are mentioned
- Track contracts including DPA’s
- Filter in archive on individuals to identify where they are mentioned
GDPR & Contract Management Systems
In conclusion, using a powerful contract management system with the features mentioned above can help you in ensuring GDPR compliance. This is especially important to have in mind since an inadequate system could damage your business or lead to a lot of unnecessary manual contract related work. Because of this, it’s important to review your current contract management process.
Our lawyers wanted to add a disclaimer, so here it is: This article is for informational purposes only and is not intended to provide or constitute legal advice of any kind. The accuracy of the information in this article is not warranted or guaranteed. You should not act or rely on this information without consulting a legal professional. You should consult a legal professional in the relevant area if you are in need of legal advice.