The GDPR Means Changes to E-Discovery Vendor Agreements

Typically, a client obtaining e-discovery services enters into an agreement with an e-discovery vendor. Such agreements may be for a single provision of services, but if the client is a regular client of the vendor, the parties will often enter into a master agreement that sets forth key legal and business terms, with a statement of work drafted for each provision of services setting out the particulars of that engagement.

Recently, parties are adding a separate set of provisions: obligations arising from the European Union’s General Data Protection Regulation (GDPR) (EU) 2016/679, a regulation in EU law that took effect on May 25, and which addresses both data protection and privacy for all individuals within the European Union and the export of personal data outside the EU. In this month’s article, I will discuss how the requirements of the GDPR have resulted in changes to client/vendor e-discovery agreements.

Standard Master Agreements

Standard master agreements address many disparate issues. They designate the services provider as the vendor and the services recipient as the client, and identify who within each organization represents it, where the organization is located, who receives communication, and so on. They describe, usually as generally as possible, the scope of the services to be provided and the rates of payment for each service.

Agreements can drill as deeply as their creators wish. Topics they cover include:

  • Whether the deliverable meets acceptance criteria and, if it does not, what vendor must do to cure the error;
  • How acceptance criteria can change, making something previously acceptable now unacceptable or previously unacceptable now acceptable;
  • What information produced by a party is confidential, and how such confidentiality may be lost;
  • Whether vendor and its personnel will have to be subject to background checks and, if so, the terms of those checks (e.g., how far back must they go);
  • What cost, in addition to the cost of services, must the client bear (e.g., costs of hard drives and other equipment, cost of travel, taxes);
  • What must be stated in invoices, how long client has to pay undisputed amounts, to whom are they addressed;
  • What causes an agreement to be terminated, e.g., a violation of an important requirement, and the consequences of termination;
  • Other standard clauses, such as those pertaining to indemnification, vendor covenants, force majeure, a general vendor obligation to enforce data security, the ability of vendor personnel to do their jobs, the vendor’s obligation to carry insurance and the minimal limits of that insurance, the client’s warranties that it will cooperate with the vendor and that it has the authority to present the data (to the vendor, to the court, etc.) as elsewhere described, each party’s representation that it has the legal power and authority to enter into and perform under the agreement, each party’s retention of the exclusive ownership of all right, title, and interest in and to any intellectual property created by or for such party prior to or independent of the agreement (background IP), the vendor’s assurance that it will not incorporate its background IP or any third party’s intellectual property into any deliverable without the client’s prior written approval, the client’s position as the sole and exclusive owner of the work product or “work made for hire,” the vendor’s assignation of all right, title, and interest in the work product to the client and its granting to the client a perpetual, irrevocable, nonexclusive, royalty-free, fully-paid, worldwide license (with the right to transfer and to sublicense through multiple tiers) under all of the vendor’s intellectual property rights in any background IP used in or incorporated into any work product to use, reproduce, prepare derivative works of, distribute, publicly perform, publicly display and otherwise use the work product without any restriction.

It should be noted that while standard master agreements treat confidentiality and other topics addressed by agreements that specifically address GDPR requirements, standard master agreements usually do so by relying upon typical, noncontroversial discussions of the topics, while GDPR requirements usually involve reliance upon well-accepted standards or protocols. For example, while standard master agreements have for decades required that data recipients—often narrowed to vendors only—keep data “confidential” in a generalized sense, GDPR agreements, when setting forth confidentiality requirements, rely upon the GDPR and the strictly measurable concepts of which it is comprised, such as strict measurements of confidentiality as set forth by the International Organization for Standardization (ISO).

GDPR-Based Agreements

Unlike standard master agreements, GDPR-based agreements include sections that track carefully the specific responsibilities and commands of the GDPR and make their discharge a part of the agreement. GDPR-based agreements provide innumerable examples of this strategy. Here are some overall strategies:

Written Requirements: While standard master agreements usually define a concept and then state how it applies, e.g., “Confidential Information is any information that the client provides to the vendor and which the vendor cannot release to any third party absent the explicit, written direction of the client,” GDPR-based agreements will refer to definitions, rules and commands stated in the GDPR and note that the Parties must follow such. It is quite common for GDPR-based agreements to require that Vendors implement a comprehensive written information security program (“CISP”) that complies with the terms of the GDPR. It is also common that GDPR-based agreements require subcontractors, i.e., contractors providing services to Vendors, to follow the same security program or one almost identical to it but adopted to fit the particulars of the sub-contractor.

Audits: Standard master agreements generally simply set requirements, but GDPR-based agreements typically also include several means of auditing to determine whether those requirements have been and are being met. Those means typically include the following.

Third Party Auditing: Vendors will bring in third parties to audit IT, digital security, the backgrounds of those with access to client data, and so on, so as to ensure not simply that all potential security weaknesses are audited, but that they are audited by third parties who can be objective in assessing the vendor’s security steps.

Auditing of Subcontractors: Subcontractors, as with vendors, will be audited, so that their trustworthiness does not rest simply on the unsubstantiated guarantees of vendors, the reputations of the subcontractors, or any other untestable basis.

Audit Time Periods: GDPR-based agreements typically require that audits be conducted at least yearly, and can be conducted more frequently. The temporal boundaries are set so that Vendors cannot be considered “compliant” by agreeing to audits but, because no temporal requirements are set, are always considered to be compliant even if no audit is actual conducted.

Physical Security

GDPR-based agreements usually highlight physical security, describing qualifications with great specificity. This description is, typically, very lengthy, and often combines with descriptions of other types of security, since today such types easily mix together (IT security, for example, easily mixes with physical security). Physical security requirements generally include the following.

Confidential Information must be physically secured against unauthorized access in accordance with industry best practices and acceptable standards. The vendor must ensure that all confidential Information will be masked or otherwise concealed to prevent unauthorized viewing by individuals passing by when displayed on any visual output device.

The vendor’s CISP must provide for a security access system, which may include identification badges, logging access, security personnel monitoring and camera surveillance, in alignment with industry best practices and otherwise acceptable standards. The vendor’s CISP must also include standards for mitigating the impact of a fire outbreak by having appropriate fire suppression mechanisms.

The vendor’s co-located data centers must implement at least the following enhanced access control for access to computer rooms within a facility that houses information systems used by the vendor (vendor information systems or VIS) hardware”: picture identification badges of analysts; 24/7 security guards monitoring entrances to the facility where confidential information is accessed, stored, processed or destroyed; identity verification using government issued IDs of outsiders entering the facility; electronic access control, using badge or access cards, to any facility where confidential Information is accessed, stored, processed or destroyed; enhanced access control for access to computer rooms within a facility that houses VIS hardware; camera surveillance (CCTV) with active monitoring or integration into a detection system; and, vendor-occupied office floors with electronic access control using the principle of “least privilege” to any computer rooms within vendor’s office that house VIS hardware, meaning that vendor personnel must have at least the lowest permission levels that they can be assigned that does not prevent them from completing their assigned tasks. There may be no windows or other exterior access points present within such computer rooms. Vendor must have procedures in place to verify that receipt and delivery of hardware and other equipment are authorized.