Do companies need a lawyer to draft their agreements for GDPR?

Yes, it’s a good idea to have a lawyer involved when drafting GDPR-related agreements. Here’s why:

1. It has provisions that are detailed: A customer agreement may contain detailed GDPR clauses that have to be taken care of. If your company is not yet GDPR compliant, you can therefore try to meet the requirements through legal expertise.
2. Not a one-time exercise: Frafting agreements can be considered a once-off but GDPR laws are always in flux. You would need to update your SCCs, as well as DPA’s, and this necessitates regular review and update. A lawyer will guide you on how to keep everything up to date.
   In addition, under the GDPR, any processing of personal data by the processor on the controller’s behalf must be based on a contract. An agreement/contract between the controller and the processor must have recorded instructions as well as undertakings to confidentiality.
3. Documented instructions of the controller: The business can only act based on explicit instructions from the controller including the transferring of personal data to third countries or to international organizations.
4.  Confidentiality agreements: All persons handling the data should be under a duty of confidentiality, either pursuant to a contract or under statute.

If you audit under the provisions of the GDPR, some obligations are listed in the articles and are legally binding. Such obligations can only be undertaken with the help of a lawyer. For example, there must be sections in the contract between the controller and the processor that include:

• Obligations on audits and inspection: This comprises providing all necessary information to evidence conformity and cooperating fully with audits ordered by the controller.
• Details of processors help controllers to comply with data protection obligations: For example, this will enable controllers to comply under Article 32 with respect to data security measures and respond to rights requests under Chapter III.