As a provider of online services who handle personal data we clearly take our obligations under the General Data Protection Regulations (GDPR) extremely seriously – it is our bread and butter.
Not surprisingly we have been approached by a significant number of our customers wanting assurance about our GDPR compliance. In some cases they were wanting legal documents to be signed and / or questionnaires to be filled out. In some cases it was also clear that they were wanting us to sign up to terms outside of our normal terms and conditions.
For a company like ours with a large number of customers, many of them quite small in monetary terms, this is simply not possible. We have therefore adopted an approach in common with other online service providers:
- We have produced a standard Data Processing Agreement which you can access on our website at appraisal360.co.uk/gdpr – this covers all the essential elements of GDPR and should provide the necessary assurance for our customers.
- To ensure no inconsistent or additional terms are imposed on us beyond that reflected in our standard DPA and model clauses, we cannot agree to sign customers’ DPAs. Also we cannot make individual changes to our DPA since the costs of doing so would be prohibitive. Any changes to the standard DPA would require legal counsel and a lot of back and forth discussion that would be cost prohibitive for our team. We understand that we might lose a few customers because of this. But the cost of a lost customer is way less than the cost of passing every change to our lawyer and having a back-and-forth about it with the client not to mention the cost of maintaining multiple versions of the agreement.
We understand that GDPR is a new and important change to the way personal data is handled and processed – and by and large a welcome one. However, we also believe that the approach we have taken will quickly become the norm for businesses such as ours who process personal data as our main line of business.