IRSG example GDPR ready processor terms

Published 1 Aug 2017

The International Regulatory Strategy Group, in conjunction with Clifford Chance and DLA Piper, has produced a document to help inform organisations of the requirements arising from the implementation of the EU General Data Protection Regulation (GDPR) in relation to data governance and compliance controls in the supply chain.

The GDPR imposes stringent requirements for controllers appointing processors, including prescribing various matters which must be stipulated in a contract or other legal act (Article 28).

The European Commission and supervisory authorities have the power to adopt standard contractual clauses to meet these new requirements.  However, there is currently no example template to assist organisations as they tackle the sizeable “re-papering” challenge to ensure supply chains are GDPR ready for the implementation deadline of 25 May 2018. 

The IRSG Data workstream has therefore produced a suggested set of processor terms to help inform organisations of the new requirements and how they might be addressed.

Vivienne Artz, Managing Director and Global Head of Privacy Legal and Head of International for the Intellectual Property and Technology Law Group, Citi, (Chair of the IRSG Data work stream) commented:   “As the deadline for the implementation of the GDPR approaches, firms still have much work to do to prepare for its new requirements. This addendum relating to Article 28 (Processor Terms) provides a valuable contribution to this work, in the absence of official guidance in this area.   We are extremely grateful to DLA Piper and Clifford Chance for their work in producing this example template and we hope that it will assist firms in the financial services sector and beyond as they prepare for the GDPR May 2018 deadline.”