Using outsource service providers is a good way of reducing overheads and obtaining specialist, skilled support for activities outside the organisation’s core activities. But there are data protection implications. Following on from our basic tips on identifying Controllers and Processors, this article presents our top tips for data protection compliance management.
Controllers that subcontract or outsource any of their personal data processing activities are required to enter into written contracts with their processors. There is mandatory content for the written contracts set out in data protection legislation.
In addition to the requirement for a contract, organisations must also check the compliance of their service suppliers with security standards and carry out due diligence checks. In practice this might mean visiting their offices to check physical security, or simply asking questions about IT, physical security and staff training. It will depend on the risk inherent in the dataset and the proposed processing.
Responsibility for compliance with data protection law lies with the controller. Although a controller may delegate data processing tasks to a processor, the controller remains responsible for compliance. Controllers must check the compliance of their processors around data security, before the contract starts and on a continuing basis.
Top tip #1
Due diligence should be based on a risk assessment. Assess the risks inherent in the data itself: how much personal data is being processed, the vulnerability of data subjects and the type of personal data being processed. Also consider the risks inherent in the circumstances of the processing, the location of the data processing, security in transit and what type of processing is involved, both in the processor’s control and if any third party sub-processors are being used. Assess the implications of losing or disclosing the data, particularly the impact on data subjects. (There is more information about risk assessments here in our article on auditing).
Discuss the risk assessment with the processor, what steps can be taken to avoid or mitigate the risks identified.
Top tip #2
Ask the processor questions about the security arrangements which will be in place around the personal data. Are any security standards applicable such as ISO27001 or other accreditations? What provision has been made for security of the data in transit? Other relevant queries will be about how colleagues are trained in data protection, how new employees are monitored and the controls within which employees work to ensure that they are reliable. Where appropriate, the security measures and compliance controls for employees that Work from Home should be explained.
Due diligence should be repeated at an appropriate interval depending of the level of risk in the data processing.
Top tip #3
Decide on an appropriate allocation of liability for any remaining risks where possible, for example if the processor decides to use a sub-processor he should take responsibility for any increased liability in respect of the processing as a result of that decision.
Check that appropriate liability clauses are in place as appropriate to the contract term and risks.
Top tip #4
Set up a template outsourcing agreement to include the mandatory contract clauses to meet the standards in UK GDPR. Details of the services provided, the data subjects and the categories of personal data processed can be added into the appendices. Use your template to check for mandatory content if you are obliged to contract on terms presented by the processor.
Remember to include Standard Contractual Clauses (UK version) if personal data is exported to a processor located outside of the UK.
Top tip #5
Due diligence compliance checks need to be revisited from time to time with the supplier. As well as confirming security measures in place, always ask whether they have suffered any data security breaches and, if so, what actions they have taken to ensure that a similar incident does not occur again.
How frequently the due diligence exercise is repeated will depend on the risk inherent in the data processing and any indications of poor performance by the service provider.
Outsourcing is a good way to ensure skilled, technical support in activities that may not be your organisation’s core activity. It can be more cost effective to use specialists. However the controller remains responsible for data protection to a large extent even when data is being processed by a third party.
In particular, UK GDPR sets out standards for using processors and the relationship needs to be set up correctly and managed on an ongoing basis. Follow our top tips for a compliant working relationship or try our w for specialist support with processor management.
Mandy P Webster, Data Protection Consultant