6 CLM software features that help you meet GDPR requirements

GDPR & Contract Management

With higher demands on your business comes higher demands on the systems and solutions that you’re using. Your contracts might contain personal data, meaning that they might be subject to the new regulation. With this in mind, it’s important that your contract management solution helps you become and stay compliant.

To help you on the way, we’ve listed six key features that your contract management software needs in order to support you on your way towards GDPR compliance.

1. GDPR & contract storage

Data security is already important to both you and your clients, but the GDPR might clarify or add certain requirements. Article 5 of the regulation states that you must have protection against e.g. unauthorized entry and accidental loss or destruction of personal data.

In order to achieve this, you will want to gather all of your contracts containing personal data, but preferably all of them, in one (and as further described below, secure) place. Essentially, minimizing the number of systems containing personal data (e.g. in contracts) will make it easier to comply with the new legal requirements.

Apart from keeping your contracts in one place, you will naturally want a secure platform for storing all your contracts containing personal data. You can achieve this by using a solution with Transport Layer Security and a high-grade crypto-suite, to make sure your data is transmitted safely. Furthermore, you will want to ensure that your cloud-provider maintains a high level of physical security, which can often be fulfilled when your contract management solution is hosted in secure data centers.

Being able to limit internal access and setting up workflow-related security measures is also important. Consequently, you should look for features such as automated approval workflows, different user-level access permissions and—of course—two-factor authentication for accessing the system.

2. Easy data access

The GDPR also aims to protect fundamental rights and freedoms of natural persons, which in non-legalese means that people whose data you’re handling will have more extensive rights.

By now, you’ve probably heard about the right to be forgotten and the right to data portability. In order to ensure compliance with these rights, your contract management solution needs to make it easy to identify and erase contracts containing personal data. This can, for instance, be achieved with powerful searching and filtering features, which will help you find the contract you’re looking for, quickly.

To state the obvious, the lack of search capabilities is also one of the most important reasons to say goodbye to your physical binders. Not least in light of the new regulation.

3. Contract authoring equals control

As previously mentioned, the GDPR brings more responsibilities for your company in terms of managing personal data.

The processor who conducts data processing activities on your behalf is still held responsible if they act outside of the authority granted by you (and vice versa). You will, consequently, want to make sure that your third-party processor’s activities are compliant.

With this in mind, it’s important that areas such as the processor’s obligations are clear as day. This puts higher demands on the contracts that you use with anyone managing personal data on your behalf.

Therefore, we recommend that you use a contract management software with state-of-the-art contract authoring capabilities. What to look for here is, inter alia, the abilities to

• set up templates in a central repository, including standard clauses and fallback options, to be used for the whole organization, and
• determine rules for the end-users to make changes in contracts (which often is combined with an interview-based way for end-users to draft contracts, instead of copy-pasting in a rich-text editor).

4. E-signatures make GDPR compliance easier

On top of contract authoring capabilities, a solution containing advanced e-signatures will make compliance even easier, at least in two regards.

First and foremost, the new regulation specifies strict criteria for gathering consent to process an individual’s personal data. As the individual’s consent has to be unambiguous, informed, specific, freely given, and documented, e-signatures can enhance your ability to fulfill the requirements. E-signatures make it especially easier to capture consent immediately at the point of data collection.

Second of all, the new regulation stipulates certain conditions for contracts between data controllers and data processors (e.g. a system provider that processes the personal data you control). Many businesses are therefore required to update their data processing agreements with third-party suppliers.

Together with the contract authoring abilities as described above, advanced e-signatures can streamline the process of updating the contracts to meet the GDPR requirements. Besides accelerating the signing process, e-signatures will give you total visibility of the status of each contract and who has yet to sign.

5. Contract event tracking

Time is another important aspect of compliant GDPR contract management. Since it’s also stated in article 5 of GDPR that data should not be processed for longer than is necessary to fulfil the purposes of which it is processed, you will want to track certain events in contracts. Furthermore, an engine with smart reminders for the tracked events is preferred.

Using a solution with event tracking throughout the entire contract lifecycle can help you a great deal. You can use event tracking to minimize the time of your personal data processing, but also help you keep track of other due dates such as obligation reporting, contract renewals, and renegotiations.

6. Data minimization and accuracy features

When drafting contracts, you’re always gonna have to collect information about your counterparties. But there is a way to ensure that your data collection happens in the most GDPR compliant way possible. What should you be wary of when choosing a SaaS vendor? That’s where data minimisation and accuracy come into play. Data minimization refers to the idea that a vendor should collect as little data as is necessary, and  the data should be as accurate as possible.

So, as a starting point for your compliance, you need to know what data is asked from you. For example, does the system ask you for more information regarding your user account than needed? This could be asking you for a profile photo or a description of yourself, although it might not affect the usability of the product. 

The second thing to look out for is can you control the input fields in the product when the people in your company are using it? Below, we describe a few features that may help your internal compliance when it comes to choosing a CLM (or any system, really).

Privacy By Design and Default: 

When you are looking for a SaaS or cloud providers, you want to find one that is developed with “Privacy by design” and “Privacy by default” in mind. Both concepts have many things in common, but the main thing is that both are a technique for controling the personal data that is processed.

To give you examples, here are some valuable Privacy By Design features in our Precisely platform:

• Limited personal information collected for account set up (only your email address and name)
• Ability to control input fields in contracts (questionnaire) by use of
  • Multiple choice
  • Numeric only
  • Free text
• Ability to provide clear helping text to any free-text field
• Ability to set strict access policies to documents containing personal information
• Metadata tagging allowing you to
  • Filter in archive on individuals to identify where they are mentioned
  • Track contracts including DPA’s

GDPR & Contract Management Systems

In conclusion, using a powerful contract management system with the features mentioned above can help you in ensuring GDPR compliance. This is especially important to have in mind since an inadequate system could damage your business or lead to a lot of unnecessary manual contract related work. Because of this, it’s important to review your current contract management process.

Our lawyers wanted to add a disclaimer, so here it is: This article is for informational purposes only and is not intended to provide or constitute legal advice of any kind. The accuracy of the information in this article is not warranted or guaranteed. You should not act or rely on this information without consulting a legal professional. You should consult a legal professional in the relevant area if you are in need of legal advice.