How Tech Startups Can Reduce Privacy Risks Through Contracts
Nothing in this article is intended to be considered legal advice. All contents and opinions belong exclusively to the author and do not reflect the opinions of her employer(s).
Reviewing contracts can be a hassle for many; however, doing so may save you future headaches. One of the ways to ensure that your company is doing its best to be compliant is to verify that your providers won’t make you non-compliant.
It is complicated to determine what you need to examine because it depends on what type of agreement you are signing and the particularities of your situation (eg. What obligations is the other party undertaking and what risk are you willing to take, what is the nature of the work being outsourced, etc.); however, this article provides a generic view of things that you should read carefully and, when necessary, request to have changed.
It is important that you understand that contracts are all about language. How things are said within the contract will have a big impact on that contract’s interpretation in any case of dispute (Eg. Verbs used may have a huge impact on the way a provision can be applied). There are many articles online that discuss generic interpretation rules; besides those, pay careful attention to the definitions. When you find a capitalized term in the text of your agreement, it should be defined and that definition may not be exactly what you would assume.
Now, the idea of this article is to discuss what a tech startup needs to look at in order to ensure that your service providers don’t make you non-compliant. Let’s proceed.
First of all, forget the fact that your company is a “small company”. It is a common thing to hear that because the provider is a much bigger company, they won’t change the contract for the startup. It is inconvenient for a service provider to be seen as non-compliant so, even though it is possible that they won’t accept all the changes you request (just as in any negotiation), it is more than likely that they will work with you to make sure that at the very least your minimum legal needs are covered. A good way of dealing with this is having several providers to choose from.
Beware that when you subcontract data processing functions you remain liable for that data; therefore you want to ensure that your provider will do its best to have you covered.
Define your privacy and security requirements: Consider what data you handle, what part of that data you’ll be passing on to the service provider, if there are any data localization limitations on that data (Eg. Public sector bodies’ data in British Columbia and Nova Scotia, tax records, personal health information in New Brunswick, among others, are examples of data that is required to remain in Canada), for how long are you allowed to keep this data after the purpose of collection is over, etc.
Before disclosing any information to the provider, make sure you have signed a non-disclosure agreement (NDA) and read the definition of confidential information to corroborate that personal information is part of it. Further to that, verify that the NDA has a protection term that covers your needs (Eg. For the time of the agreement plus the time data will be retained by the service provider and if backups are kept, they will be subject to the same confidentiality provisions for the time those backups are retained).
If you are subject to GDPR, ask your service provider to supply a data processing agreement or ask them to sign your own (you can see the gdpr.eu template for reference here: https://gdpr.eu/data-processing-agreement)
In relation to the terms of the contract itself, below are some important factors:
Subcontracting rights: If your service provider is allowed to subcontract, there must be limitations related to where they can send your data (based on data localization restrictions), they should only be allowed to share information on a need to know basis and they should provide confidentiality agreements that provide at least the same level of protection of the one you signed with the provider. It would also be a good idea to verify that this provider does not exclude liability for any activities of its subcontractors.
Liability for Data Breach/Loss: Verify that they are liable for events where data is lost or where they have suffered an attack affecting your data (Read limitation of liability and indemnity clauses). In case of licensing agreements, where you receive a copy of the software, establish whether they are liable for any issues related to a failure in their software that could potentially affect your customers’ data.
Data Localization: Ensure that the contract and/or applicable SOWs specify where your data will be kept and make sure that localization works for your particular legal needs. If the personal information is leaving Canada, it is your responsibility to verify that the other country provides a similar level of protection to the one the information would be subject to at home.
Protection Measurements: The contract/agreement states what are their security standards and how they will protect your data.
Aggregation Clauses: A data aggregation clause typically allows service providers to anonymize your data and put it together with that of other service providers’ customers for the purpose of “improving” the services. Some people tend to assume that this is an analytics clause. Depending on how the clause is written, it is possible that it is used for analytics purposes; that being said, this clause could allow the service provider to use the data to create its own products (which could be, for example, a compilation of data to be commercialized or simply a totally new product). Data aggregation clauses may have consequences for your company if, for some reason, the data isn’t properly anonymized before aggregating it or it can be de-anonymized somehow. Unless you exclude liability for this or request the clause to be deleted, in any event where things go wrong with this process, you could be held liable.
Commitments that would require user consent: Make sure you read carefully what you’re committing to. Some commitments may require you to request consent from your users for things that won’t benefit you but only the service provider.
In conclusion, read your contracts carefully, try to understand what are the particular obligations of your company in relation to personal information, and make a conscious attempt to reasonably share risks with your service provider.