I have assumed that it is recommended to have a clause referencing data security in employee and commercial contracts with suppliers and clients.
We therefore have an action to create a new standard contract for employees, suppliers and clients to include the new data security requirement.
However, my question is, what is the recommended approach for existing employees, suppliers and clients who’s contracts do not include the necessary data security clause. Should we be sending an addendum to the contracts? Is it recommended that we do this as part of our ‘treatment’ action on the data security risk that employees, suppliers and clients alike pose to our business.