GDPR Compliance Journey - 15 Contracts & Agreements

Gydeline
17 May 201805:12

Summary

TLDRIn this video, Mike and Sarah guide viewers through the process of ensuring compliance with the General Data Protection Regulation (GDPR) by reviewing contracts with suppliers and third parties. They emphasize the importance of including specific GDPR elements such as confidentiality, data breach responsibilities, and data protection impact assessments. The hosts use Zoho as a case study, showcasing how the company's GDPR readiness and adherence to contractual terms provide confidence in their data handling practices. The video concludes with a call to action for ongoing supplier assessments and a preview of the next topic: training.

Takeaways

  • 📜 The speaker emphasizes the importance of reviewing contracts with suppliers and third parties to ensure they include the required elements of GDPR.
  • 👨‍⚖️ It is advised to seek legal advice for those unsure about the specifics of GDPR compliance in contracts.
  • 🔍 The GDP art provides specific guidance on what to expect in contracts, including confidentiality, data breach responsibilities, and data protection impact assessments.
  • 🔗 The speaker's website offers a blog post with a how-to section on data processing contracts and the required areas to check for GDPR compliance.
  • 📝 The script mentions the need to verify that contractual terms include details about data deletion, recovery, infringement measures, and data transfers.
  • 🏢 The speaker shares their experience with Zoho, highlighting how the company is taking GDPR seriously and providing necessary documentation.
  • 📑 Zoho's GDPR readiness statement and Terms of Service are mentioned as examples of how a supplier can demonstrate compliance with GDPR requirements.
  • 🔒 The importance of privacy policies being updated in line with GDPR requirements is noted, as shown by Zoho's updated policy.
  • 🤝 The script suggests that having a combination of terms and conditions, privacy notices, and GDPR statements from suppliers helps ensure contractual compliance.
  • 🔄 The process of reviewing contracts with other suppliers involves sending questionnaires and forms to verify their GDPR compliance.
  • 👩‍🏫 The next topic to be discussed in the series is training, indicating an ongoing commitment to GDPR compliance education.

Q & A

  • What is the primary focus of the video script?

    -The primary focus of the video script is on the importance of reviewing contracts in the context of GDPR compliance, ensuring that they contain the necessary elements as mandated by the regulation.

  • Why is it recommended to seek legal advice when dealing with GDPR and contracts?

    -It is recommended to seek legal advice because the presenter is not a lawyer, and legal expertise is crucial for understanding and implementing the specific requirements of GDPR in contracts correctly.

  • What does the script suggest checking in agreements with suppliers and third parties?

    -The script suggests checking that agreements with suppliers and third parties include required elements of GDPR such as confidentiality, breach responsibilities, data protection impact assessments, data deletion or recovery processes, infringement measures, audits or reports, and details of data transfers and technical measures.

  • What is a GDPR readiness statement and why is it important?

    -A GDPR readiness statement is a document provided by a supplier that outlines how they are preparing for and implementing measures to comply with GDPR. It is important because it provides assurance to clients that the supplier is taking GDPR compliance seriously.

  • What is the role of a Terms of Service document in GDPR compliance?

    -The Terms of Service document outlines the obligations of both the service provider and the client regarding data protection, including how data is handled, who it might be shared with, and how to lodge complaints, which are all critical aspects of GDPR compliance.

  • How does the script suggest verifying a supplier's GDPR compliance?

    -The script suggests reviewing various documents provided by the supplier, such as the GDPR readiness statement, Terms of Service, and privacy policy, to ensure that they are in line with GDPR requirements and that the necessary contractual terms have been implemented.

  • What is the significance of a supplier's privacy policy in the context of GDPR?

    -A supplier's privacy policy is significant because it should be updated to align with GDPR requirements, detailing how personal data is used, transferred, and protected, which is essential for demonstrating compliance.

  • What actions have been taken by the company in the script to ensure their suppliers are GDPR compliant?

    -The company has reviewed their contract terms of business, checked their major suppliers' documents for GDPR compliance, and in some cases, sent out questionnaires and forms for suppliers to fill in to verify their compliance.

  • What is the next topic the company plans to discuss in their GDPR compliance journey?

    -The next topic the company plans to discuss is training, which is an important aspect of ensuring that all employees are aware of and can follow GDPR requirements.

  • What is the overall message the script conveys about the importance of contract review in GDPR compliance?

    -The overall message is that reviewing and ensuring contracts contain the necessary elements of GDPR is crucial for compliance. It provides confidence that suppliers are meeting the required standards and helps organizations avoid potential non-compliance issues.

Outlines

00:00

📜 Contract Review for GDPR Compliance

This paragraph introduces the topic of contract review in the context of GDPR compliance. The speaker, Mike Sarah, emphasizes the importance of consulting legal advice despite not being a lawyer. The General Data Protection Regulation (GDPR) provides specific guidance on contract requirements, which include elements like confidentiality, data breach responsibilities, data protection impact assessments, data deletion and recovery procedures, infringement measures, data transfers, and technical measures. The speaker suggests reviewing agreements with suppliers and third parties to ensure these elements are included. They also mention their website's article on data processing contracts and the required areas to check, such as audits, reports, and technical measures.

05:03

🔍 Zoho's GDPR Readiness and Contract Terms

The second paragraph delves into the practical steps taken by the speaker to review their organization's contracts with suppliers, using Zoho as a case study. Zoho is highlighted for its serious approach to GDPR compliance, with a readiness statement and additional documents available on their website. These documents include a Terms of Service agreement that outlines data infringement, obligations of both parties, and complaint procedures, as well as a privacy policy updated to align with GDPR requirements. The speaker notes that not all providers may be as compliant, indicating an ongoing process of verification and potentially sending questionnaires to suppliers to ensure they meet the necessary standards.

Mindmap

Keywords

💡GDPR

GDPR stands for General Data Protection Regulation, which is a regulation in EU law that focuses on data protection and privacy for individuals within the European Union. In the video, the speaker emphasizes the importance of GDPR compliance in contracts, indicating that it is a central theme of the discussion and a key area of focus for businesses handling personal data.

💡Contracts

Contracts are legally binding agreements between two or more parties. In the context of the video, the speaker discusses the necessity of reviewing contracts with suppliers and third parties to ensure they include the required elements of GDPR, highlighting the contractual obligations related to data protection.

💡Confidentiality

Confidentiality refers to the protection of sensitive information from unauthorized access or disclosure. The video script mentions confidentiality as one of the required elements to be included in contracts, emphasizing the need for suppliers to maintain the secrecy of personal data they handle.

💡Data Breach

A data breach occurs when unauthorized individuals gain access to sensitive information. The script discusses the importance of having provisions in contracts that address the responsibilities and actions to be taken in the event of a data breach, showing the video's focus on preparedness for potential security incidents.

💡Data Protection Impact Assessments (DPIAs)

DPIAs are systematic evaluations of data protection risks that organizations must carry out before implementing new technologies or processes involving personal data. The video mentions the need for contracts to include any requirements for DPIAs, indicating the importance of proactively identifying and mitigating privacy risks.

💡Data Deletion and Recovery

Data deletion and recovery pertain to the processes of securely removing data and restoring it when necessary. The script points out that contracts should detail how data will be deleted or recovered, reflecting the video's emphasis on data lifecycle management and ensuring compliance with GDPR principles.

💡Infringement Measures

Infringement measures are actions taken to address and rectify non-compliance with legal or regulatory requirements. The video script notes that contracts should include details of infringement measures to be implemented and tested, underlining the proactive approach to compliance and readiness for potential violations.

💡Data Processing

Data processing involves any operation or set of operations performed on personal data, such as collection, storage, and analysis. The video discusses the need for contracts to specify details of data processing, including who is sent the data to process, which is crucial for ensuring transparency and accountability in data handling.

💡Audits and Reports

Audits and reports are tools used to evaluate and document compliance with regulations and standards. The script mentions that contracts should include details of available audits or reports, which is important for demonstrating accountability and transparency in GDPR compliance efforts.

💡Technical Measures

Technical measures refer to the technological solutions and systems implemented to protect data and ensure security. The video script includes technical measures as a required element in contracts, showing the importance of having robust technical safeguards in place as part of GDPR compliance.

💡Zoho

Zoho is a software company that provides a suite of online productivity tools for businesses. In the script, the speaker uses Zoho as an example of a supplier that takes GDPR compliance seriously, mentioning their GDPR readiness statement and the various documents they provide to demonstrate their commitment to data protection.

💡Privacy Policy

A privacy policy is a document that outlines how an organization collects, uses, stores, and protects personal data. The video script refers to Zoho's updated privacy policy, which aligns with GDPR requirements, as an example of how suppliers can demonstrate their commitment to data protection and privacy.

💡Terms of Service

Terms of service are the contractual terms by which a service provider offers its services to customers. The script discusses Zoho's Terms of Service, which includes details about data handling, obligations of both parties, and how information is transferred, illustrating the importance of clear contractual terms for GDPR compliance.

Highlights

Introduction to the GDP compliance journey series with Mike and Sarah.

Clarification that the presenters are not lawyers and legal advice should be sought for specific issues.

The importance of reviewing contracts with suppliers and third parties to ensure GDP requirements are included.

GDPR's specific guidance on the elements that should be expected in contracts.

The availability of the required elements checklist on the guideline website.

Discussion on confidentiality responsibilities in contracts.

The necessity to include breach requirements in data processing contracts.

The need for data protection impact assessments as part of contract terms.

Details on data deletion or recovery processes in contracts.

Inclusion of infringement measures to be implemented and tested within contracts.

Identification of third-party data processors and on-word processing in contracts.

The requirement for audits or reports to be available as per GDPR.

Details of data transfers and technical measures specified in contracts.

Review of contract terms of business to ensure GDPR compliance.

Zoho's GDPR readiness statement and the measures they are putting in place.

Zoho's Terms of Service detailing infringement, data transfer obligations, and complaint procedures.

Zoho's updated privacy policy in line with GDPR requirements.

The overall positive impression from Zoho regarding their GDPR compliance efforts.

The ongoing work to check supplier requirements and the use of questionnaires for verification.

The next topic in the GDP compliance journey series will be training.

Transcripts

play00:00

[Music]

play00:03

hi I'm Mike Sarah and welcome back once

play00:07

again to our GDP our compliance journey

play00:09

this time we are talking contracts now

play00:15

important to say that I'm not a lawyer

play00:18

and so always best to seek legal advice

play00:21

if you're not sure

play00:23

however the GDP art does give some

play00:27

specific guidance on what you should

play00:29

expect to find in contracts so you need

play00:32

to be thinking about reviewing the

play00:35

agreements you have with your suppliers

play00:36

and third parties to check that they

play00:39

have the required elements of GDP are

play00:41

included inside them so let's go ahead

play00:45

and take a look at these requirements

play00:46

we've got them listed on our website so

play00:50

here we are at the guideline website and

play00:52

we have an article on our blog about

play00:53

data processing contracts and if you

play00:57

look at this we've got a how-to section

play00:59

which talks about the required areas

play01:02

that we need to be looking at so these

play01:05

are confidentiality responsibilities

play01:08

about breach if there's any requirement

play01:11

to do data protection impact assessments

play01:13

how data will be deleted or recovered

play01:16

any infringement measures that should be

play01:19

implemented and tested details of

play01:21

anybody else that is sent the data to

play01:23

process or on word processing what

play01:26

audits or reports are available and

play01:29

details of data transfers and technical

play01:33

measures those are the specifically

play01:36

required elements so we just need to be

play01:40

checking that they are all included so

play01:43

those are the areas that are mandated as

play01:45

part of the GD P R now what we've done

play01:48

is to review our contract terms of

play01:51

business and suchlike to check that

play01:53

those are included so let's have a look

play01:55

at those of one of our major suppliers

play01:58

and we'll see if those elements are

play02:01

there so those of you that might have

play02:04

watched some of our previous GDP

play02:05

ourjourney videos you'll know that we

play02:07

use Zoho for a lot of our systems and

play02:09

we're quite lucky in that they seem to

play02:11

be taking GDP are very very

play02:13

seriously you may not always find this

play02:15

with your providers but they have a GDP

play02:19

our readiness statement on their website

play02:21

and talks about how they are preparing

play02:24

some of the measures that they are

play02:26

putting in place and so therefore that

play02:28

enables us to check that some of the

play02:31

implementation and measures that are

play02:34

required as part of the contractual

play02:36

terms have been implemented by Zoho

play02:42

there are further documents that they

play02:44

provide that enable us to see the sorts

play02:48

of things that they're doing so as an

play02:52

example there is a Terms of Service

play02:55

which talks about infringement the

play03:01

service they provide who the information

play03:05

might be sent to obligations of

play03:08

ourselves and of Zoho who they transfer

play03:15

information to how we lodge a complaint

play03:17

and and this always also links in to

play03:21

their own privacy policy which again has

play03:28

been updated to be in line with GDP our

play03:31

requirement so this talks about the use

play03:37

of data transfers children's protection

play03:42

how information stored so really the

play03:46

message is that we're getting a good

play03:49

feeling from Zoho we're pulling out from

play03:52

these different documents which overall

play03:55

form our contract with them the kinds of

play03:58

information we need to check that we

play04:01

have the agreements in place that give

play04:06

us the confidence that they are doing

play04:08

what we need it's not always the case

play04:11

with all our providers that they are

play04:12

doing what they need to do until there's

play04:14

an ongoing piece of work to check those

play04:17

requirements however I hope that by

play04:21

showing you these few documents

play04:24

and in the case of Zoho you can see we

play04:26

have a terms and conditions we have a

play04:30

privacy notice and we have gdpr

play04:32

statements from the suppliers themselves

play04:35

that together these documents help us to

play04:37

check the contractor and the agreement

play04:40

position that we have with these

play04:42

organizations so there you have it

play04:45

that's a quick review on how we've

play04:47

checked with Zoho we've done similar

play04:50

reviews with other suppliers and in some

play04:52

cases we have sent questionnaires and

play04:54

forms out for suppliers to fill in to

play04:57

check that they are doing what they need

play04:59

to be doing I hope you found that useful

play05:02

next time we're talking about training

play05:05

so until then we hope you find your

play05:08

compliant simple

Browse More Related Video

GDPR Compliance Journey - 06 Data Protection Impact Assessment

GDPR Compliance Journey - 18 Reviews and Third Party Reviews

GDPR Compliance Journey - 14 Process Documentation

Data Inventories and Data Maps: The Cornerstone to GDPR Compliance

How to Implement GDPR Part 2 :Roadmap for Implementation

Keynote: Are You Ready for GDPR? - Michele Appello

Rate This

5.0 / 5 (0 votes)

Summary
Outlines
Mindmap
Keywords
Highlights
Transcripts
Related Tags
GDPRComplianceContractsData ProtectionLegal AdviceConfidentialitySupplier ReviewData ProcessingPrivacy PolicyZoho