Your focus to date is likely to have been on your organisation’s use of personal data. However, it is really important that you don’t forget your contracts – specifically any data processing contracts that you have (or should have) in place with a data processor, such as a payment processor or payroll service.

1. By now, your preparations should be well under way for the GDPR deadline of 25 May 2018. If this
raises alarm bells, please see our recent Thirteen Point Guide to the GDPR to help you get up to
speed.
Your focus to date is likely to have been on your organisation’s use of personal data. However, it is
really important that you don’t forget your contracts – specifically any data processing contracts that
you have (or should have) in place.
You (as an organisation) are deemed to be a data controller in circumstances where you determine
the purposes for and the manner in which any personal data (data which could be used to identify a
living person) will be processed. “Processing” means doing just about anything with personal data,
e.g. collecting, storing, using, transmitting or recording.
Data Processing Agreements
As a data controller, if you engage a third party to deal with personal data on your behalf, and they
are acting under your overall instruction and control, they are acting as a data processor, and
specific rules apply to contracts in this situation. You will therefore need to take advice on such
contracts in relation to clauses which need to appear in them and which relate to items such as:
 ensuring that personal data is only processed on documented instructions of the data
controller
 confidentiality obligations on members of staff
 security of personal data
 implementation of measures to assist the data controller in complying with the data subjects’
rights
 the requirements placed on the data controller to comply with the Information Commissioner’s
Office.
International Transfers
Continuing on from the provisions of the Data Protection Act 1998, the GDPR ensures there are strict
rules in place in relation to any transfers of personal data to destinations outside the European
Economic Area (or EEA). In the context of a data processing agreement, if any personal data will go
outside of the EEA, the data controller must be satisfied that the conditions for such transfers can be
met. Usually, this will be because:
(a) the European Commission has made a decision that the recipient country has an adequate
level of protection relating to the data subjects’ rights and remedies;
(b) the data processor has provided appropriate safeguards within the contract; or
GDPR: Why your contracts need updating

2. (c) the data subject has explicitly consented to the proposed transfer, after having been informed
of the possible risks of such transfers for the data subject, due to the absence of either (a) or
(b) above.
There are other means by which a transfer can be made, but the above are the most common in the
context of data processing agreements. If there is any possibility of any of your organisation’s data
being transferred abroad (outside the EEA), e.g. because your cloud provider stores the data which
your organisation hosts with it outside the EEA, then you will need to ensure that, as the data
controller, you understand the basis on which you say such a transfer is lawful.
Data Protection Indemnities
Under the GDPR, data controllers and data processors are now both potentially subject to civil,
administrative and criminal penalties, as well as damages, for non-compliance. Therefore, both
parties must, for their own benefit, be clear in their contracts as to where each such liability falls.
It is important to highlight that the GDPR is set to introduce substantially increased penalties for non-
compliance. Maximum penalties will rise to up to €20 million or 4% of gross annual turnover,
depending on the type of breach. Organisations should therefore ensure that agreements which were
entered into prior to 25 May 2018 and which are ongoing after that date are varied as soon as
possible, so as to include these updated obligations. If these agreements are not updated, both data
controllers and processors should be aware that any obligations they have under an existing
agreement which continues beyond 25 May 2018 will be overridden by their obligations under the
GDPR in the event of any conflict.
What you should be doing now?
1. Identify all third parties whom you require to do something with personal information on your
behalf, and where you retain total control over what that third party does with the information
(thus constituting a data processing arrangement). If such an arrangement is currently in
existence, you should already have a written agreement in place, which identifies one of the
parties as a data processor, and if you don’t, you should put one in place and prior to 25 May
2018.
2. Update all data processing contracts identified, so that they include the required terms in
relation to data processing, international transfers and data protection indemnities. The
deadline for making these changes is 25 May 2018.
3. Review any liability caps which may be in your data processing agreements, as well as any
insurance policies you may have to protect your organisation against substantially increased
claims from the data processor and affected data subjects, in the event of a breach of the
GDPR. You may also wish to consider taking out cyber liability insurance in the event of a
data breach, given traditional insurance policies do not usually cover a cyber-attack.
For further information on updating your business or organisation’s contracts, or putting in place new
processing agreements, please contact Brian Miller at brianmiller@stoneking.co.uk or call +44 (0)20
7324 1523.
Disclaimer: this article may not be reproduced without the prior written permission of the author. This
article reflects current law and practice. It is intended to be general in nature, and does not purport in
any way to be comprehensive or a substitute for specialist legal advice in individual circumstances.
Please note that English data protection law will be changing again, once the new Data Protection Bill
becomes law in 2018 and which may require us to make changes to this note.
stoneking.co.uk
SK17-11