UK Law and Practice Contributed by: Richard Brown, Louisa Chambers, Adam Wyman and Michael Ross, Travers Smith LLP
outsourcing contracts will be relational contracts (ie, long-term, involving a high degree of communication, trust and co-operation and perhaps even exclusive, among other factors), similar constraints may some - times be implied into other contractual provisions. This is usually on the basis that those constraints are necessary to ensure that the relationship – as formal - ised in the contract – works as intended. However, as a general rule, the more detailed the contract, the lower the chance of the courts implying additional terms to any significant extent. It is also possible for terms to be implied based on “custom and usage” – ie, normal market practice or where there has been previous course of dealing between the parties. However, these would typically only be relevant where the express terms of the con - tract do not address the relevant issue in sufficient detail. By way of example, if an outsourcing contract had expired but the parties continued to deal with one another without having agreed a new contract, an English court might imply terms similar to those contained in the expired contract (based on the par - ties’ previous course of dealing). 4.5 Data Protection and Cybersecurity The Data Protection Laws (see 2.3 Restrictions on Data Processing or Data Security ) require certain prescribed provisions to be included in contracts with suppliers that process personal data on behalf of the customer, so as to ensure that minimum security lev - els are met in respect of any personal data which is processed. These include requirements for the sup - plier to: • only process data in accordance with instructions from the customer; • assist the customer with achieving compliance with its own obligations to take appropriate measures to ensure security of processing; and • back up its obligations with subcontractors to the extent that they process personal data. Following changes introduced by the UK GDPR, data processors are now directly liable for some infringe - ments. As a result, it is not uncommon to see provi - sions included in contracts to protect their position. Also, given the far higher penalties now available, spe -
cific liability apportionment for losses resulting from a breach of contractual provisions (and statutory obliga - tions) is becoming more common. In some cases, the supplier may be processing per - sonal data as a standalone data controller rather than as a data processor on behalf of the customer – for example, in some contracts for the outsourcing of pension fund administration. In these situations, the contract will usually include clauses requiring the sup - plier to keep personal data safe and secure, and to comply with its obligations as a data controller under the Data Protection Laws, particularly in respect of any personal data that the customer may transfer to it or vice versa. Sector-specific legislation and guidelines (see 2.2 Industry-Specific Restrictions ) also impose require - ments in relation to data and cybersecurity (for both personal and non-personal data), which are often flowed down to suppliers within an information secu - rity schedule. Similarly, such legislation and guidelines impose requirements in relation to business continuity – for example, the implementation, maintenance and testing of business continuity and disaster recovery plans, as well as requiring business continuity to be addressed in relation to exit. These matters are com - monly addressed as part of separate business conti - nuity and exit schedules. 4.6 Performance Measurement and Management As noted in 4.1 Customer Protections , outsourcing contracts often include specific service levels or key performance indicators (KPIs) in relation to the stand - ard of performance of services. These are typically set out either in the outsourcing contract itself or in a separate service-level agreement (SLA) appended to the contract. They will generally be linked to obligations on the supplier in respect of monitoring and reporting on service levels/KPIs, often combined with audit rights for the customer to allow the customer to audit the service provider’s compli - ance with the contract. If the supplier does not meet the specified service levels set out in the contract, the contract may provide
78 CHAMBERS.COM
Powered by FlippingBook