GDPR: What have we learned about contracts?


David Brook, co-founder and a director of IT consultancy company, Turnstone Services, examines the effect GDPR is having on supplier contracts.

The last and final step to achieving GDPR compliance is the writing of the GDPR terms into supplier contracts. This ensures that the new data privacy undertakings will be part of the supplier customer relationship going forward.

Now, supplier contracts must meet the new standard wherever a supplier touches EU personal data. The GDPR terms, which are specified by the Information Commissioner’s office, include that data is only processed as documented, is kept protected and confidential, and that the supplier will help reply to any requests from data subjects.

Prior to GDPR, there had been a tendency for IT vendor contracts to contain some holes and many lacked the detail that would have assured their customers of reliable security and protection.

This is hardly surprising, on two counts; it is a competitive market of vendors, who are extremely good at selling and protecting their own interests, meanwhile customers are often under time pressure, where agreeing contract details is often viewed as important in the beginning, but as negotiations drag on, lawyers get involved, attention spans suffer and maybe time just runs out.

The result was that contracts often lacked key points which could have been negotiated and added in, such as service credits and exit strategies, but did contain auto-renewals and onerous terms and conditions which are at best supplier-centric.

This is very common, particularly in companies without procurement expertise. The situation is often exploited by vendors leading to the ‘supplier-centric’ contract that is as onerous to the buyer as it is commercially disastrous. If procurement is viewed as glorified secretarial work or boring administration, this kind of myopia ultimately causes delays, cost overruns and service quality issues.

Naturally, IT staff tend to focus on the technical offerings, and often the vendor is complicit in this, leaving the many other areas of contract negotiation untouched. Ideally, the suppliers’ responsibilities will be around delivering projects on time – service level details and staffing are equally high priority.

The GDPR has pushed people to look harder at their contracts, to be sure that the terms are correct, complete, and watertight. In most businesses, this will have created a massive amount of work for their IT, procurement and legal teams.

Some companieshave spent around two years preparing for the GDPR regulations and implementing their compliance programmes. We have never seen any other change as far-reaching as this since Year 2000. GDPR affects a huge number of internal processes and forces us to review external relationships with most of our IT service providers and suppliers.

Now with the May 25 deadline in sight, in the majority of companies, this work is mostly done, a batch of supplier negotiations has been completed, and agreements finally meet the new standard required to be GDPR compliant. But it will not have been easy.

What can be learned from the compliance process, and how can we be smarter with contracts going forward?

Generally, procurement is being recognised in IT circles as an important skill area, and not just a bolt on to the day job. We are seeing a more determined approach to make contracts more favourable to the IT buyer and less supplier-centric.

Continuing adoption of ITIL is another factor, where good supplier management is part of the framework. Some IT functions are training their staff in specific IT procurement skills, others prefer to hire a specialist firm to provide IT procurement skills on demand. Ultimately an IT team will be best-served if they can work with an expert in IT procurement.

Adding procurement expertise improves commercial leverage, and procurement experts tend to bring a wider perspective, being trained to negotiate on a wide range of commercial factors. Some of these factors have less immediacy, but are just as important as meeting a ‘go live’ date and agreeing a license price.

Cost savings are the obvious benefit – this is what procurement people specialise in ultimately, but they bring more than this, they also push suppliers to deliver more.

Factors such as forcing regular review sessions, asking for liquidated damages and penalties, contractualising clear roles and responsibilities, baking timescales in, forcing people to think harder about requirements, and stopping ‘scope creep’ – these all help to make the contractual arrangement more favourable to the buyer and more helpful to the purchasing company.

It would be good to see IT departments becoming more aware of the riskier areas hidden in their vendor contracts, and managing them more proactively to reduce exposure.

If commercial processes can be enhanced, this provides better delivery of services, firmer cost control and greater assurances of data security. If the IT requirements, acceptance criteria, rates and penalties are all part of the mix, it will always enhance the quality of the vendors’ service delivery.