The new data protection laws which come into effect on 25 May 2018 require new terms in contracts between organisations and cloud based suppliers.
Organisations affected include those which use cloud-based software to process their employee data, outsourced IT services, practice management systems or similar. Indeed any relationship where a third party processes personal data which the organisation controls needs to have their contract updated. This is a legal requirement.
Many things need to be included but here are the headline requirements:
- a clear description as to how and why the data will be processed and the type of data being processed
- a requirement on the processor to comply with the controller’s written instructions about use of the data
- the processor must make sure any of its sub-processors and employees are bound by a duty of confidence in relation to the data
- the processor must submit to audits by the controller.
- Review and update current contracts now
- Ensure new contracts are compliant