Given you are talking about actually processing personal data (suppliers' reps details), if this falls under the GDPR then it would be prudent to update the contracts to that effect (See Art 3 of the GDPR for full territorial scope, but this could mean a company based in the EU or processing data from EU individuals or companies). I believe the first step is reaching out to your Legal team and DPO and get an assessment specific to your business operations and identify the cases where you qualify as a data processor or controller. As a general approach, according to Art. 5 of the GDPR, you need to inform the individuals about collecting and processing their data, as well as the purpose of the data processing. Direct consent could also be required (see Art 7). If your organisation has already implemented the processes to comply with the GDPR, it would only be a matter of including it in the contracts or working with localised templates (i.e. include it only for your company's OUs or suppliers based in the EU).
Hi there. I have submitted and forwarded your question to Daniela Badescu, who is the practitioner in charge of the IACCM Community of Interest "Data Privacy and Data protection", and who has recently delivered a webinar on GDPR. Daniela will be back to you on this. Thanks
• Willis Towers Watson
This is a very interesting point. Thank you for raising the question.
As all is still new with GDPR, it's hard to say what the actual practice is.
One aspect to consider is that the administrative fines are tiered, with the first being up to 2% of the turnover or 10M Eur (whichever is higher) and the second tier up to 4% or 20M Eur (whichever is higher).
Let's assume a consultant provides a set of recommendations and implementation guidelines. GDPR consultants could argue that following that advice is the company's business decision and that applying and maintaining the processes to remain compliant is the company's responsibility.
Also, holding a consultant liable for up to 4% of their customer's turnover may be more than what they can/are willing to cover. Ie. assume an organisation has 10M EUR turnover - this mean the consultant's liability would be up to 400,000 EUR. How does this measure against the consulting fee?
To set up a liability coverage, I believe it may make sense to look at fines in the context of specific contractual obligations and see if based on that, the fines qualify as direct or consequential damages.
It may be different for contracts where there is a continuous service to design, maintain and review the GDPR related processes. Still, the level of liability remains subject to negotiation and I would rather expect it to be tied to the actual contract value and not on fines or other operational costs that may result from non-compliance.
What type of contracts are you looking at? It would be great if you can share what you have seen.
thank you for your kind response!
It seems it is becoming practice for companies seeking GDPR consultants to require liability for administrative fines and related costs incurred.
You have asked about the contracts, these are service/consulting contracts between GDPR consultant and SME company (client) which intends to source out the GDPR management/compliance to an external consultant. The services would typically include investigation of readiness for GDPR, preparation of guidelines the company should comply with with regards to GDPR, impact assessment and gap analysis.. The value of such contracts is a fraction of the administrative fines which might be implied upon the client by the authorities in case of GDPR breach. GDPR consultants who refuse to accept full liability for the administrative fines often loose their opportunities and clients.
I do not fully understand your paragraph on direct and consequential damages. Could you please kindly explain?
Thank you again for your time and help.
• NISSAN Europe (Alliance Renault)
Please share any market trends regarding "super caps" instead of unlimited liability in case of data and/or security breaches for SAAS, PAAS and IAAS contracts, Thanking you in advance, Hubert
Hubert - this wasn't SaaS, PaaS, IaaS specific - but on most recent contracts relating to ICT managed services I've worked on (network and apps support) customer took an approach of requesting unlimited liability, then relaxing back to super cap between £15 - £25m (depending on bargaining power).
• San Diego Association of Governments (SANDAG)
We quickly identified the "usual offenders" who turned tracked changes off, made changes, then turned it back on, but we believe that most were accidental oversights. To prevent these, we just about always use locked tracked changes both internally and externally.
You'll have some resistance first, but eventually all of the stakeholders get used to it.
• Infrastructure Ontario
I prefer to run my own comparison rather than rely on a counterparty's. This avoids the question of whether an oversight was intentional or not.
• Schweitzer Engineering Laboratories, Inc.
There are a couple of relatively simple clauses which mitigate currency risk, such as:
If the ratio between ___________(local currency) and USD, based on 1 USD equaling X _______(local currency), varies by more than ___%, the Price (rent paid in X ) shall be automatically adjusted to maintain the original ratio of X______ to USD, which existed on the date this Agreement was signed
The parties agree that:
1) the contractual price is based on an identified fixed exchange rate between your currency, X, and the second currency, Y, (called the 'base rate'), and that
2) if the exchange rate on the actual date of payment differs by more than x % from the base rate, then
3) the contract price shall be adjusted accordingly.
I suppose that this has been resolved in the meantime, however, I wanted to share My view. Your idea About a review after 3 months, or even 6 or 12 months, is quite common and would be My advice. Typically, KPIs have some specifics depending on the Environment, hence a review and Adjustment after somee time would be beneficial for both, the customer and the supplier.
Maybe, if you read this, can you share how this was finally approached and resolved?
Clearly a lot of advice and this may get lost in the deluge. In contracts I negotiate we always a Performance Implementation Period (PIP) with the agreed aims (between the parties) of determining whether the KPIs are:
a. driving the desired behaviour,
b. measuring the the actual outcomes, and
c. are fair for both parties.
We would normally request 6 months, but this depends upon the length of the contract.
Remember that it is not in the client's interest for you to go bust.
Two things I always work towards:
1. Both you and the client have the same goal - a needed product. Both of you want the program to succeed.
2. KPIs should be output focussed - what is the client needs in the end. No more than 2 -3 KPIs.
Introduce System Health Indicates (SHI) as a tool to measure the detail.
Hope this helps
Stuart - I am not sure a UAT (assuming this is User Acceptance Test) would fully ensure the KPI's are ideal, as the UAT could potentially only assess whether there will be compliance to sub-optimal KPI's, leading to a sense of reasonableness but not necessarily effectiveness.
So, the ideal approach really needs to rely on a process. If you do not have an end-to-end contracting process the KPI's will usually prove problematic.
Early in the process, before ever approaching the contractor/supplier market, the customer entity needs to identify the overall objectives and goals from the project and related transaction - both from a relationship and contract document perspective. For example, one might identify risk mitigation, or cost leadership, or perhaps cyber-security as the key purpose and objective. Then the customer enterprise must identify the sub-objectives that enable the broader purpose. This all needs to be performed as a team, include those who will be leading the post-award phase. The KPI's need to then be included in the RFx/tender documents, as well as negotiated.
But, it sounds like you do not have the ability to take this steps now. The option that you suggest of a three-month trial period represents a potential solution. Plus, the three months might afford you time to undertake some of the above steps as well.
• Tullow Oil plc
Hi Stuart, just a few of thoughts building on the below - They may not commit to any change of the KPIs as these are often standard for all customers - the below are just observations around the theme that may or may not be useful, and their strength will depend on what the software does, how much you've spent on it, how core to your business is etc.:
1) They'll be most open to discussions when annual maintenance renewal time comes around, as that's when there's normally money on the line - so if the user community can be corralled into speaking with one voice, they could be a powerful ally in helping review whether the KPI's are useful in the first place and then challenging those that aren't
2) Also consider whether there are other potential purchases or expansions into your business - the person who originally sold you the software will probably have some sort of target to sell you more (even if via an audit...), so if it turns out that you can use the opportunity of future sales to sharpen up their performance then that might help
3) My cynicism is that a number of vendors will deliberately sell software that hasn't been fully tested, and then their customers essentially complete the testing through raising support tickets and the supplier improving the software through trial and error. See if the supplier has a user support community where you can compare the number of tickets you're raising vs. others, and whether root causes of any issues that arise are training or software-based
4) Maybe compare the functional specification with performance in reality - given that vendors typically warrant that the software will perform with the documentation, the argument most likely to drive change is more likely to be whether the system isn't performing against spec rather than they're missing KPIs
Hope this is in some way helpful, let me know if there are aspects you'd like to follow up on.
• Toyota Material Handling USA
Stuart, Agree completely with other's comments/ideas posted. Really think the key will be in communicating and documenting your overal objective. It doesn't sound as if you are certain that a clear overall objective has been communicated to your software provider,. If that i truly the case, would get to work on detailing it as soon as possible (at the time of the RFP would be best). Be prepared to have a conversation with the software provider after you're comfortable that the overall objective is clear. It may be that an amendment to the agreement will be needed.
Would also consider creating a process for determining your overal objective prior to your next RFP going out. For example, create a cheat sheet of gemeral key topics to be covered; legal entities to the agreement, key contacts, pricing, payment terms, purpose of the agreement, etc. Find that when a process has been defined and I follow the process everytime, there are fewer of those UhOh moments.
• Housing New Zealand
Hi Stuart, All great comments to consider. having been in exactly the same position 1 year ago, these were some of the key lessons learnt.
1) Keep it simple - don't unnecessarily overcomplicate it.
2) Inputs or outputs based KPI's
3) What is your customer's / business key requirements - requires alignment
4) What's more important the KPI's or SLA's (there is a difference)
5) determine if the urgency to get the agreement signed outweighs the importance of fully developing the KPI's/SLAs.
While we don't have the full details, your proposed solution to this can be a way forward and can have teeth; provided you clearly articulate the review criteria in the agreement. But as mentioned before, vendors typically have standard SLA/KPI's and anything bespoke usually costs a premium especially after the fact. So I would urge you depending on the importance of this implementation and the impact on the business, to resolve this before you sign.
• Taystar Inc.
Perhaps this has resolved itself already, but perhaps consider looking at the 10 Pitfalls in the IACCM resources and working WITH the Contractor to identify (perhaps 5) KPIs that relate to the work being undertaken in the first calendar year. Then evolve those based on experience/needed improvements.
It is essential that measurement criteria be established and agreed up-front (documented in a Guide signed by both parties) and that measurement timelines are adhered to. Have experience with payouts against a x% holdback on a periodic basis based on a sliding scale scoring of measurement criteria - (significantly below expectation = full retention of holdback by Owner, significantly above expectation = 1.5 x holdback paid out, on par with expectations = holdback paid out.)
At least agree that some form of Perf Measurement will be undertaken (jointly developed) at the time of signing the contract. Implementation can follow asap thereafter.
• Academy Sports + Outdoors
What about asking for some reference customers and reaching out to them?