Data protection in commercial agreements

Following the introduction of the UK Data Protection Regulation (‘UK GDPR’) on the 25 May 2018, businesses scrambled to introduce privacy policies, update data protection procedures and carry out detailed reviews of their existing contractual documentation. However, businesses should bear in mind that data protection has not consistently evolved since the introduction of UK GDPR. On the 23 October 2024 the House of Lords sat through the first reading of the Data (Use and Access) Bill, which is set to further amend UK data protection law. Businesses should take time to ensure data protection is properly assessed and covered in all aspects of their trading and contractual agreements.

Background

The UK GDPR enshrines the core principles of the EU regulation on data protection. These include points on lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and confidentiality. The scope covers personal data processing of data subjects collected within the UK, or where a data controller or processor is subject to UK law. The regulation affords to data subjects a variety of rights of access of their data, to rectify incorrect data, to erase data in certain circumstances, to data portability and to restrictions on use where possible.

These new requirements have not only given data subjects additional rights, but conversely have placed onerous burdens on businesses involved in managing data. In the event of a breach, the Information Commissioner’s Office (ICO) can fine up to £17.5 million or 4% of an organisation’s total worldwide annual turnover, whichever is higher. Businesses should take the burden of good data management and data compliance seriously for both ethical and financial reasons.

Commercial contracts

Whilst businesses often have a strong handle on their internal personal data flows, they tend to neglect data provisions in relation to their contractual agreements. As both data processors and data controllers can be found liable under UK GDPR, contractual parties should seriously consider data protections in their agreements. Data protection should be present in most commercial relationships, regardless of the information shared, to ensure the certainty of obligations and apportionment of responsibility for the duration of the relationship. There are many methods of negotiating and agreeing how data should be protected between businesses, as set out below. At a minimum, parties should include and negotiate a robust data protection clause in their agreements to codify and protect their data interests.

The construction of a data processing clause

All data protection clauses should clearly deal with the following data protection issues:

• Data Parties: the parties should be clearly defined under the agreement. Businesses should consider who the data controllers are, who the data processors are, and who the data subjects could be. These should be clearly understood and defined in the agreement; without clarity, it is unclear where the risks lie and where the responsibility rests
• Data Processing Obligations: the obligations on the data processors and data controllers should be defined and listed. Data should be processed only as needed for a defined ‘purpose’, and in accordance with the sharing parties’ instructions.  Parties should be clear of this purpose and agree to the scope of the obligations accordingly
• Security Levels: while this can be kept reasonably high-level, the appropriate standard of data protection should be formalised and maintained to avoid either party facing enforcement actions under the agreement
• Data Subject Rights: the parties should always keep in mind the data subjects and their rights. Rights to access, rectification and being forgotten should be considered when designing processes and procedures for protecting and sharing data under the agreement. Timelines should be agreed in advance to ensure compliance with ICO requirements
• Notifications: the parties should be clear on the requirements of timely notification to each other in the event of a subject access request or data breach under the agreement. These procedures should be UK GDPR compliant, and reasonable for all parties to comply with

This is not an exhaustive list, and there may be a plethora of other issues to clarify when negotiating a contract. As every agreement has unique risks, the clauses negotiated may require amending based on the context of the data shared and the data risks faced.

Scope and form of protection

As previously alluded to, the scale of data sharing and scope of data protection requirements should be considered with any commercial relationship created. Whilst low levels of personal data processing may be sufficiently dealt with by a comprehensive contractual clause in an agreement, there is no ‘one size fits all approach’ to managing data processing and data transfers. Businesses can utilise a wide variety of data protection documentation to ensure GDPR compliance. These can include, but are not limited to:

• Data Protection Agreements between contractual parties
• Non-Disclosure Agreements containing data protection clauses
• Accessible Privacy Policies and notices
• Standard Contractual Clauses, Binding Corporate Rules or International Data Transfer Agreements for transfers of data outside of a jurisdiction.

The data protection landscape is constantly evolving and is fraught with potential pitfalls for businesses of all sizes across all sectors. In 2025, the scale and risk of data sharing will only increase. With potentially significant financial penalties, businesses should ensure contractual security whenever data is to be dealt with.

We understand that data protection is a complicated issue with varied requirements in every situation. Our experienced team can help ensure your commercial relationships meet your data protection needs while maintaining collaborative business relationships. Contact us to discuss how we can support you with your data protection requirements.