GDPR – 7 Key elements you must have in your supplier contracts

If you’re using a supplier to host *any* EU citizens personal data (including log entries, emails, documents, HR records, backups) then when GDPR starts in May 2018 you need to have a written contract with them that includes:

  • subject matter and duration of processing
  • type of personal data and categories of subjects.


And that the supplier will

  • only process on your instruction
  • ensure employees are under strict confidentiality agreements
  • not engage (or change) a sub processor without your approval
  • be responsible to you if a sub processor fails to perform
  • help you response to data subject enquiries

If you fail to to include such terms in your processor contracts, the ICO could fine you the greater of €10m or 2% of total annual turnover. Gulp.
For more detail on GDPR see this article by Rawlinson Butler:
http://www.rawlisonbutler.com/blog/data-protection-need-include-data-processor-contracts/