Data privacy regulations will significantly impact contracts in 2023, requiring businesses to invest more time and resources into reviewing and updating their agreements to keep up with legal and regulatory requirements. Businesses will also need to focus on obligations to and from third-party data holders and implement measures to ensure that personal data is protected and used responsibly.
Businesses that proactively address these challenges will be better positioned to navigate the complex landscape of data privacy regulations and operate legally and ethically to increase revenue and build trust. This article highlights some of the ways data privacy laws will impact contracts in the near term.
Increased Volume of Data Processing Agreements
One of the most significant impacts that data privacy regulations will have on contracts is an increased need for Data Processing Agreements (sometimes referred to as a Data Protection Agreement or DPA).
In 2023, five U.S. states–California, Utah, Virginia, Colorado, and Connecticut–require Data Processing Agreements and require that they include clauses covering the following components: Purpose of Data Processing, Type of Data Processed, Data Processing Instructions, Duration of Data Processing Rights, and the Obligations of Both Parties.
Data Processing Agreements should outline the terms and conditions under which a company (aka processor) may use (aka process) personal data. Data privacy regulations typically require that individuals’ rights be protected in Data Processing Addendums.
As a result of this increased need for Data Processing Agreements, businesses will need to either 1) update their current contracts by way of an amendment or addendum to required terms or 2) include data processing requirements in a new contract. This extra lift will require businesses to invest more time and resources into reviewing and updating their contracts, and contracts professionals will be expected to become more knowledgeable about data privacy laws and terms.
Increased Obligations of Third-Party Data Holders
Data privacy regulations will have an additional impact on contracts in 2023 is an increased focus on the obligations of third-party data holders. Businesses that work with first-party data companies must ensure that these third-party data holders also comply with data privacy regulations. This means businesses must include specific provisions in their contracts with third-party data holders, outlining their obligations to protect personal data and comply with data privacy regulations.
California, Virginia, Colorado, and Connecticut also require that third-party data holders assist first-party data holders with auditing data and complying with their data privacy obligations. Data Processing Agreements should require processors to have similar terms with their subcontractors to ensure proper flow of data protection.
This will add an extra layer of complexity to contracts, but it is necessary to ensure that businesses fully comply with data privacy regulations and laws.
Increased Focus on Data Operations
Data privacy regulations will lead to a greater focus on data operations rather than just data compliance. In the past, businesses have focused on ensuring that they are compliant with data privacy regulations. But in the future, businesses will need to go beyond their own internal compliance and actively implement and document measures to protect personal data and ensure that data is used responsibly.
This will require businesses to better understand their data operations, including how data is collected, processed, and stored. It will also require businesses to invest in new technologies, such as data encryption and anonymization, to better protect personal data.
Adapting to Changing Regulations
The rapid increase of Data Privacy Laws has significant implications for contracts, as businesses must now navigate a complex landscape of data privacy regulations to operate legally and ethically.
Businesses must also be prepared for the potential of additional data privacy regulations, as the trend towards increased data privacy protections is likely to continue. This means that businesses will need the flexibility and resources to adapt to changing regulations as they arise to remain compliant and protect personal data.
To stay ahead of these data privacy changes, businesses will need to invest in ongoing training and education for their employees to ensure they are aware of the latest data privacy regulations and best practices. This will also require businesses to have dedicated data privacy teams and resources, who can help to ensure that contracts are reviewed and updated regularly, and that data protection measures are implemented and upheld. And, of course, their own contract templates and playbooks covering data privacy agreements.
