Over the past few months, Ascentor has published a series of articles tackling the issues on the typical GDPR to-do list. Our blog post looking at the Data Protection Officer (DPO) proved to be one of our highest read ever, so we’ve decided to look at one of the DPO’s responsibilities – ensuring that the data processor used by the organisation complies with data protection law.
Getting this right will play a big part in avoiding the risks that organisations face when processing personal data. But what goes into considering whether the contractual obligations in place between yourselves and your data processors provide adequate protection to comply with data protection law?
A little background
Before we cover this issue in depth, just what is the data processor?
Many organisations will have used the services of other companies as data processors for one purpose or another without giving it much consideration, until now. It is not that the law hasn’t required formal arrangements between controllers and processors (see Schedule 1(12) Data Protection Act 1998), rather GDPR now makes the requirements more explicit and key to achieving compliance.
Data Processor: Article 4 (8) of the Regulation says “Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
The “controller” mentioned here is actually the “data controller” and that’s you – the organisation responsible for making decisions about personal data you hold. The data processor relationship is so important because they deal with (or store) personal information data in accordance with the instructions of the controller.
Typical examples of data processors are suppliers providing outsourced services to the controller, such as marketing, accounting and HR services.
To achieve compliance with the law, all activities undertaken on your behalf by a data processor will need to be governed by a contract which meets the requirements of Article 28 GDPR.
Considerations when reviewing or choosing a data processor
There are several key things you should consider before you decide which data processor offers the most appropriate service for your needs.
Activities: Consider what you actually want your data processor to deliver. Some suppliers, such as cloud software services, become a processor by default as you cannot use their services without the service provider having some responsibility for the data you place in their storage. You may also seek other data processors specifically to carry out a certain set of tasks on your behalf. As part of their activities, ensure your data processor can help you meet your obligations in respect of the data subject rights conveyed under GDPR.
Consider the scope of the work you need them to do for delivering the service or task in question. The more you ask a data processor to do, the greater control and monitoring you are likely to need to put in place.
Transparency: You should consider how your use of third parties is communicated in the information you provide data subjects to explain the processing of their data. Transparency is undoubtedly the way forward but if you choose a data processor with a reputation which your data subjects do not find acceptable, they may be less willing to do business with you. Beware of any processor who tries to contractually prevent you from telling data subjects openly of your working relationship.
Location: GDPR does not prevent you processing personal data anywhere in the world but it does require you to ensure that adequate controls are in place to protect the data and the rights and freedoms of the data subjects. You must therefore consider whether or not a legal transfer mechanism exists for data processing activities undertaken outside of the EU. If no mechanism exists, then it is up to you to ensure that you put in place an appropriate control mechanism to ensure the rights and freedoms of data subjects remain protected. Often this will be through an EU standard contractual clause agreement but GDPR lays down a number of options and considerations.
Data sharing: Consider whether your data processor is asking to become a data controller for any of the data they will process. It could be that they need a little of the data they receive for their own purposes such as billing you for their services but be aware of those who seek to use it for other wider purposes, such as perhaps their own marketing activities.
You may not have a legal basis to provide them with the data for their own purposes and if you agree to do so without this being in place, you are likely to find it comes back to bite you in the form of enforcement action from the ICO. Ensure you can make appropriate contractual provisions for all data uses and expressly exclude use for a data processor’s own purposes if that is appropriate.
Security: Processors are required to implement appropriate security measures and have to comply with the same security requirements as controllers. You will therefore want to know that their security measures include pseudonymisation and encryption, and the ability to ensure the confidentiality, integrity, availability and resilience of processing systems and services. They must also have the ability to recover and restore access to lost data and be able to demonstrate regular testing of the effectiveness of any security measures, where appropriate.
Liability: Whilst nobody ever wants things to go wrong, it’s accepted that sometimes they do. So, when choosing a data processor, consider any liability cap they put in place.
If an existing processor is unwilling to change to facilitate compliance with the law for both you and them, it might be time for change.
Managing your data processors
Choosing the “right” data processor is not the only consideration. As with all contractual arrangements a review mechanism should be put in place.
Conduct audits: Accepting that it will be a challenge for a small organisation to audit a much larger supplier of data processor services, you should, wherever possible, review your data processors performance against the points you’ve set out in your contractual arrangement. Ask them to produce their records of data processing activities carried out on your behalf. Seek to remediate any issues and, if unsatisfactory, it may be time to consider a change in processor.
Sub-processors: If you’ve given your data processor permission to appoint sub-processors, ensure they are cascading down at least the same controls as you have in place. Ask for regular updates on their sub-processing arrangements so you know who is actively working on your data.
Data breaches: Human errors do occur and companies can be subject to malicious attacks. Even with the best of intentions, it is possible for your data processor to be subject to a data breach affecting the data they process on your behalf and it may be through no fault of their own.
Ensure you have agreed processes in place with them which enable you both to comply with your obligations under GDPR and which give you the opportunity to work together to explore what went wrong and to build better resilience for the future.
Communication, openness and transparency in your data controller/data processor relationship is key to achieving GDPR compliance for this matter.
Your choice of data processor is central to avoiding the risks your organisation faces when processing personal data. That’s because as a supplier appointed by you, they manage your data. Any supplier providing outsourced services such as marketing, accounting and HR services are data processors. In all likelihood, your organisation already deals with many.
When considering which data processor offers the most appropriate service for your needs, you need to address the activities you’ll want them to deliver, the transparency by which you communicate your use of data processors to your data subjects, the location of the data processor and whether they’ll need to use any of your data for their own purposes.
As with any contracted service, you should also have in place a management process and a way of dealing with any problems that may arise.
Preparing for GDPR? Ascentor can steer you through the maze
This is your GDPR action plan, produced in one week. It’s a four-step process that will arm you with the knowledge to make business decisions regarding improvements and related resources.
For further information
If you have found this article of interest, the Ascentor blog regularly carries articles about GDPR, Information Assurance (IA) and cyber security issues. You might also like to keep in touch with Ascentor by receiving our quarterly newsletter.
If you’d like to discuss the topic of GDPR and data protection in more depth or any aspect of IA and cyber security, please contact Dave James at Ascentor.