With veterinary practices increasingly embracing digital platforms and automated systems, the volume of data handled in a typical veterinary practice has surged. The type of data handled can vary and will cover anything involving the storage or use of information relating to named individuals (eg customers (past or present), employees, suppliers or other named individuals within a veterinary practice network). This data attracts the attention of potential cybercriminals, underscoring the escalating importance of data compliance.
Most practices will, by now, have privacy policies and data protection procedures in place in light of the rigorous regulatory framework in force which emphasises the importance of data security. It is essential for practices not only to have an awareness of how to manage and protect any personal data they receive and collect from their customers and/or suppliers, but also to review any ongoing and new commercial contracts to ensure that they are up to date and reflect the most recent legislative framework requirements regarding data protection.
The data landscape
Data protection legislation in the UK and the European Economic Area (EEA) requires data controllers to undertake due diligence on parties they appoint as data processors or with whom they share personal data. This means that data controllers should use only data processors that can demonstrate their internal compliance, document the security of their IT systems and implement appropriate technical and organisational measures, as required by the General Data Protection Regulation (GDPR), in order to protect data subjects’ rights.
The first question is therefore to identify whether your practice is a data controller or data processor. Simply put, does your practice collect personal data and determine how this data is used? Or does your practice simply receive personal data from another entity and use this to provide a service?
Managing your contracts
Both data processors and data controllers can be liable under UK GDPR, and so it is in both parties’ interests to ensure that data protection is adequately considered and addressed in commercial contracts
Both data processors and data controllers can be liable under UK GDPR, and so it is in both parties’ interests to ensure that data protection is adequately considered and addressed in commercial contracts, regardless of whether they operate an outsourced function or whether the data processor is processing data as part of a wider service contract on behalf of the data controller.
Data protection provisions should always be present in commercial contracts so there is certainty and clarity on what each party is expected to do with the data.
Depending on the nature of the contract, provisions should be included which state the exact details of the processing, type of data and provisions setting out the processor’s obligations. This may include standards the data processor must meet when processing personal data on behalf of the controller and the permissions it needs in relation to that processing. Some of these provisions could include: the data processor acting only on the written instructions of the data controller; engaging sub-processors only with the prior written consent of the data controller; and obligations on the data processor in adopting appropriate technical and organisational measures in keeping data safe and secure.
Risk and liability
You must always be wary of agreeing to indemnities relating to data breaches, because agreeing to indemnify another party for such breaches will essentially create an obligation to ‘promise to pay’ the other party in the event of any losses or damages suffered by that party
Alongside the contractual obligations, the parties will also need to decide the risk and liability allocation for data breaches. Usually, in commercial contracts, these are defined within the “parties’ obligations” section and will normally include a series of liability and indemnity clauses. Regardless of whether you are a data processor or data controller, you must always be wary of agreeing to indemnities relating to data breaches, because agreeing to indemnify another party for such breaches will essentially create an obligation to “promise to pay” the other party in the event of any losses or damages suffered by that party. Indemnities are calculated on a pound-for-pound basis and are (depending on the drafting) not subject to the usual common law rules of remoteness of damage (ie indirect damages) or the duty to mitigate.
Final thoughts
Data protection legislation is ever-changing – we have seen a lot of updates to the regulatory landscape over the last six years: firstly, Schrems (Privacy Shield), then Brexit, then new European standard contractual clauses (SCCs) and now the new UK international data transfer agreement (IDTA). There is also the Data Protection and Digital Information Bill (DPDI), which was due to enter the report stage in the House of Lords in June 2024. On 23 October 2024, the UK government introduced the Data (Use and Access) Bill (DUAB) to Parliament. The DUAB aims to simplify compliance for businesses and enhance data rights for individuals, particularly around automated decision making and data processing transparency. While it retains core principles from the DPDI, the DUAB introduces streamlined requirements for data processing, especially for small businesses, and promotes more flexible data-sharing practices to drive innovation without compromising privacy. This evolution reflects a growing balance between regulatory oversight and fostering data-driven growth across sectors.
Make sure your contracts contain adequate data protection clauses and ensure that you are up to date on data protection issues – don’t be caught out!