Credit: alengo/iStockphoto.com

The Global Data Protection Regulation (GDPR) mandated by the European Union (EU) took effect in May 2018. The California Consumer Protection Act (CCPA) takes effect in January 2020. U.S. Congressional hearings have begun on nationwide privacy rules. And jurisdictions around the world are preparing to launch their own privacy legislation as well.

While the GDPR came into effect in May 2018, it is likely not all have considered how the new law and others like it will impact business relationships with third parties and vendors:  a need for amending contracts with the heavy legal team resources needed to support it. This process of amending contracts is often referred to as “repapering.”

For example, since GDPR impacts all EU customer and employee data, including data housed within the business and data exported to third parties, companies can be held liable if iron-clad vendor contracts that address privacy concerns are not in place and data is compromised. For most companies, reducing this liability will involve some amount of repapering to hold those third parties contractually obligated to protect the data in accordance with the regulations.

To navigate the repapering process, here are four questions legal teams should be asking management:

1. Do you know where data impacted by the now effective GDPR and soon effective CCPA resides?

Companies today hold massive volumes of data, and often that data is housed, and sometimes replicated, in many different locations: internal systems, paper files, marketing and advertising agencies, cloud hosting sites, data storage centers, affinity program management firms, vendor subcontractors—the list goes on.

Unfortunately, most companies still don't have a full understanding of where all their data is housed internally, and even less understanding of which third parties have access to or possession of it. That can complicate the task for legal teams, especially those dealing with large multinational corporations with complex vendor and sub-vendor relationships.

Legal teams clearly have their work cut out for them here, though: just 13.6 percent of executives according to a recent Deloitte survey are at the “gold standard” of preparedness, i.e., have confidence that the organization knows what data third parties have and leveraging emerging technologies to analyze and manage associated vendor contracts for compliance. A further 56 percent are either in the process or plan to begin the process of identifying the data held by third parties soon, with their eyes toward contract management. Some (10.2 percent) have not started at all.

2. Is there a process in place for identifying which vendor contracts need to be amended?

For many companies, the repapering process can be burdensome and expensive because, in most instances, contracting resources are already stretched thin.

Establishing a framework for the client that can govern the entire life cycle of a contract, from identifying insufficient agreements to repapering and signing, can ease compliance woes.

A model we've seen companies typically succeed with is one that focuses on four specific components: locating and identifying the affected contracts; extracting relevant contract information; running an analysis on that information to identify problem areas; and—finally—amending and renegotiating contracts.

Today, this four-phase process is made easier and more cost-effective with the support of new technologies. The biggest innovations helping both legal teams and companies on this front are artificial intelligence (AI), machine learning and analytics. For example, AI-enabled contract management solutions can rapidly identify contracts that need to be adjusted, while machine learning algorithms can “learn” to recognize privacy-related contract terms more effectively than manual text searches. That's not to say legal teams can skip review of newly updated contracts, but the approach can shift a lot of the labor-intensive updating off of legal teams so they can focus on the higher-level review of outputs from those programs—and the rest of their workload.

3. What are the potential risks and opportunities involved in amending contracts identified for repapering?

Contract repapering is usually not a simple “red-line and sign” exercise.

Some vendors may be willing to quickly update insufficient clauses without issue; but, as in any renegotiation scenario, others may take this opportunity to rework more than what needs to be repapered for data privacy compliance purposes.

Given the risks involved, it's important that organizations and their legal teams think through the unique circumstances of certain crucial contracts that must be amended. How strong is the relationship with the vendor? Is the vendor happy with the agreement in place? Is there a risk that the vendor will try to renegotiate other parts of the contract, or perhaps the entire agreement? Depending on the answers, companies could face extended, more complex, and even costlier negotiations. More reason to consider leveraging technology and managed services solutions to streamline the workstreams and limit the impact on in-house legal staff or expensive outside counsel.

4. How scalable is your organization's data privacy and contract management program?

As increasingly more data privacy regulations are passed around the world, knowing where your data is and which third-party contracts are affected is key. Yet, according to a Deloitte survey, less than half of surveyed organizations have built scalability into their data privacy programs to permit addressing new rules from other jurisdictions.

Part and parcel of data privacy program scalability will be scalability of contract management solutions across different standards and regulatory regimes. It'll become an important lever in driving efficiencies for businesses to check whether new contracts contain comprehensive data privacy clauses and to check whether standing contracts are appropriately updated to reduce the need for future repapering of both.

It will, therefore, be important for legal teams to monitor the growing list of international and national data privacy regulations and what contract terms and vendor relationships each of them will impact. All other questions aside, organizations will need the close support of their in-house legal teams and outside counsel in mapping out effective game plans and technology to tackle contract repapering as data privacy regulations proliferate.

 

Rich Vestuto is a Deloitte Risk and Financial Advisory managing director in discovery for Deloitte Transactions and Business Analytics LLP. He specializes in providing leading practice guidance and other technology-based litigation and data retention strategies to corporate and law firm clients.