Organisations are realising that failure to protect customer data is creating long-term business problems. One of the biggest is the fear of being unable to manage the fallout of a data breach involving a third-party processor.
Consumer reaction to data breaches
In a recent survey 69 percent of 7,500 consumers surveyed from France, Germany, Italy, U.K. and the U.S. say they have or would “boycott an organisation that showed a lack of integrity for protecting customer data” the concerns are real.
Furthermore, 62 percent of consumers felt inclined to blame the company (controller) certainly not a third party processor — if they lost their personal data.
Placing your data, the cloud, doesn’t mean you wash your hands of all your responsibility. With the introduction of the GDPR, third-party risk became even more heightened. If the data handler or data processor suffers a breach, you, the data controller, would almost certainly be held accountable. However, if you are going to work with third parties and you have done your due diligence, the regulators are obviously going to look on that very differently.
The recent low-cost airline Lion Air group found 30 million records posted online including passport details, names, addresses, contact details etc. It seems that an AWS bucket container was not secured and was left open.
With the Asia region still playing catch-up with privacy laws the fines imposed and the obligations to report the breach and more importantly the data subjects are sketchy to say the least. It is not certain yet whether the Lion Group or any of the third parties involved were subject to GDPR. If it were to be the case the fine and damage of the brand could result in a large dent and could threaten its operations.
Quite often security is an afterthought. Data centre hosting can be myriad of ample complex contracts, data centre for example owned by one company, operated by another, with a contract to yet another and everyone points fingers at each other .
From a legal standpoint, there can still be issues with cloud service providers.
Most controllers concentrate on two requirements of their processors
Processor will follow the processing instructions, and
that they will keep the data secure.
But third party due diligence needs to go further and deeper.
A full 3rd party due diligence audit should take place, and this option should be clearly stated in data processing addendum’s / SCC’s (Standard Contract Clauses).
Under the GDPR, serious breaches must be reported within 72 hours — not almost a year, like Uber. If a data breach carries a “high risk of adversely affecting individuals’ rights and freedoms” the regulation is even more strict saying a breach must be reported without “undue delay.”
There only exception is for cases where a data controller judges that the breach is “unlikely to result in a risk to the rights and freedoms of natural persons,” but even in this case the breach must be thoroughly documented internally, along with the reason for not informing a DPA, something a DPA can at any time ask to see.
A large percentage of data breaches reported were found not to have met the criteria of reporting, because companies possible rushed the decision process in fear of missing that 72-hour window.
There are already notions that organisations are comparing which would be the most lenient authorities, so a multinational for example may choose to report a breach to an authority with less enforcement powers.
Third parties are very often the weak link in data security. According to some reports, third-party failure plays a part in 63 percent of all data breaches.
However, the headlines about breaches always centre upon the controller and rarely mention the third-party processors that may have played a part in the breach.
Third party due diligence frameworks
The process approach
Life cycle phase 1: Planning—Management develops plans to manage relationships with third parties.
Life cycle phase 2: Due diligence and third-party selection—The enterprise conducts due diligence on all potential third parties before selecting and entering into contracts or relationships.
Life cycle phase 3: Contract negotiation— Management reviews or has legal counsel review contracts before execution.
Life cycle phase 4: Ongoing monitoring—Management periodically reviews third-party relationships.
Life cycle phase 5: Termination and contingency planning—Management has adequate contingency plans that address steps to be taken in the event of contract default or termination.
Relentless Privacy and Compliance Services Ltd’s outsourced DPO service manages all third party contracts and due diligence.
The General Data Protection Regulation (GDPR) changed European privacy rules significantly. The introduction of the concepts ‘Privacy by Design’ and ‘Privacy by Default’ are two of these changes. Although a new legal requirement under the GDPR, these concepts are not new. Considering privacy from the start of the development process is essential to address privacy successfully.
Essential part to the GDPR
The GDPR changed European privacy rules significantly. The introduction of the concepts ‘Privacy by Design’ and ‘Privacy by Default’ are two of these changes. Privacy by Designs holds that organisations need to consider privacy at the initial design stages and throughout the complete development process of new products, processes or services that involve processing personal data. Privacy by default means that when a system or service includes choices for the individual on how much personal data he/she shares with others, the default settings should be the most privacy friendly ones. Although Privacy by Design and Privacy by Default has become a legal requirements under the GDPR, these concepts are not new. Considering privacy from the start of the development process is essential to address privacy successfully.
Increasing efficiency by thinking of privacy in advance
The GDPR requires organisations to consider privacy at the earliest stage. Privacy must be one of the ingredients of a new product or service, rather than the icing on the cake that is added at the end. This might seem complex, but it is actually easier than applying privacy considerations after a design is fully developed. When you think upfront about what personal data you want to use, for what purpose and how you will do this legitimately, it reduces the chance that you discover at a later stage that embedding privacy is technologically challenging, expensive or even impossible.
The application of Privacy by Design will therefore make the development process more efficient. Knowing what data you want to use, and giving data subjects a choice on how their data is used by applying Privacy by Default, makes it easier to be transparent those data subjects. And transparency is key when it comes to earning the trust to collect the data in the first place. In other words: applying Privacy by Design and Privacy by Default is simply a good idea. That is why many organisations already have incorporated these concepts in to their development processes.
Embedding privacy in the design process, where to start?
In order to embed privacy in the design process several aspects must be taken into consideration.
Operate within legal boundaries and be accountable
Under the GDPR organisations are not only responsible for adhering to privacy principles, they must be able to demonstrate compliance with them too. A privacy strategy is essential to make choices early in the development process regarding how you want to deal with privacy within your new service or product. Assess upfront if the idea can be executed within the relevant legal boundaries. A good instrument for doing this is carrying out a Data Privacy Impact Assessment (DPIA). A DPIA will help you identify privacy risks within your new design. Don’t forget to keep your DPIA findings. This will allow you to demonstrate your rationale behind certain decisions at a later stage.
Think of ethics
The ethical aspects of the concept must also be taken into consideration early on. An organization should determine how transparent it wants to be on its data processing and how much it wants to know about data subjects involved. A helpful questions is: would you use the product or service yourself?
Communication is key
Communication towards data subjects is very important to address at the initial design stages and throughout the complete development process. Communication lines must be clear, also when something goes wrong. For data subjects it must be clear where they can turn if they want to know more about the processing of their personal data and how they can exercise their rights.
Data security, quality and retirement
And of course it is important to think about adequate security measures, how the quality of data can be guaranteed and what will be done with the data when the product or service retires.
Successful implementation of both Privacy by Design and Privacy by Default requires that employees – especially those involved in the development of new products and services – have enough basic knowledge on privacy. Clear policies, guidelines and work instructions related to data protection should be developed and a privacy specialist should be available to assist in applying these requirements. The development method (agile, waterfall etc.) used within the organization must be taken into account, in order to apply the concepts throughout the whole development process. This will enable the development teams to take appropriate measures in the relevant phases. And finally, when a design has been completed, it must be adopted by the organization and monitored and maintained throughout its lifetime.
Privacy by Design and by Default, what is not to like?
Mandating Privacy by Design and by Default is the formalisation of a good idea. The GDPR is aimed to give data subjects more power over their personal data. Implementing Privacy by Design and Privacy by Default clearly reflects that aim. Offering the most privacy friendly option as a default setting will give people an actual say over which parts of their personal data can be used. The incorporation of Privacy by Design in the development process is the only way to apply privacy successfully. For organisations these concepts provide an opportunity to increase efficiency and gain data subjects’ trust. What is there not to like?
Privacy Email Alert
Get the latest GDPR News delivered to your email box.
Recently voted one of the top twenty data privacy blogs on the net
When the EU’s General Data Protection Regulation (GDPR) went into effect May 25, 2018, it triggered a wave of privacy legislation around the globe. And businesses everywhere have been scrambling to prepare.
Every organization doing business in the EU must comply with GDPR requirements. In addition, other regions—Brazil, Australia, Japan and Turkey, to name a few—have passed new privacy laws that businesses worldwide also now must follow. In the U.S., California announced the California Consumer Privacy Act (CCPA), which has gone into effect Jan. 1, 2020. Other states are following suit with regulations as well.
The sheer number of regulations that companies must comply with has rapidly increased in a short period of time, with geographically specific policies adding layers of complexity to most organizations’ data security operations. Businesses everywhere are waking up to the need to bolster their approach to how they handle employee and customer data. GDPR compliance was really just the beginning.
Consumers too are spurring organizations into action, demanding to know that their data is being treated securely. These consumers have raised the bar in terms of what they expect from organizations. Failures now mean class action lawsuits, as British Airways discovered after a hacker stole payment card data associated with 380,000 transactions. The GDPR not only requires organizations to notify authorities within 72 hours when they suspect a breach, but it also gives Europeans compensation rights.
Data Privacy: How to Get Started
Thinking about information policies is one thing, but knowing how to begin to refine them is another entirely. Adding to the complexity in global regulations is the enormous amount of data that your organization generates daily. Business is built on and carried out with information. We draw up plans and presentations and spreadsheets. We write reports and send emails, all of which can contain sensitive business information as well as personally identifiable information (PII). Some of it belongs to the business itself, some belongs to employees or to our customers.
Information-handling has gotten cumbersome for most organizations. Businesses are generating so much data that companies don’t even know where all their data resides or what type of information all those files and folders contain. While structured data—such as credit card information and Social Security numbers—can be fairly easily tracked and protected, unstructured data is much more difficult to safeguard.
Unstructured data is information buried deep within the documents and emails mentioned above. It includes details about people and business sometimes written in prose or as notes, so it’s not easily plucked out and secured. One of the biggest obstacles to a well-defined information-handling strategy is that many organizations struggle to accurately identify sensitive data as employees use and share it in their day-to-day work.
Organizations need to create and deploy reliable processes for improving information-handling to help people understand what data they’ve got, where it is stored and how sensitive it is. They also need tools to help ensure that it is protected.
The risks of poor information handling are enormous, from enabling a large-scale hack to allowing unfortunate employee errors. So what can organizations do to avoid fines, customer liability and expensive breach recoveries?
5 Things Businesses Can Do
Organizations need to nurture an internal culture for data categorization and risk assessment. Executives and business stakeholders as well as IT leaders must fully understand the security and privacy risks associated with the data they create, consume and handle. Everyone needs tools and processes built into their day-to-day workflow to help easily recognize privacy risks and deploy safeguards.
Here are five basic ways organizations can implement stronger information-handling policies and prepare to meet the complex range of privacy regulations out there:
Know where PII resides: Because so much structured and unstructured data is created daily, it can be difficult to know where personal information is located. As noted earlier, unstructured data is usually buried in emails, Word files, presentations and other documents. According to a recent article in the Harvard Business Review, 80% of data analysts’ time is spent simply discovering and preparing data and less than 1% of an organization’s unstructured data is analyzed or used at all. Without knowing what personal data employees generate and where it resides, organizations will have difficulty complying with regulations.
Understand internal politics around data: Different companies have different organizational structures. That said, most have a data team that may be led by a chief data officer (CDO). These executives are tasked with responsibility for the complete life cycle of organizational data. Additionally, they typically understand its value and they know how it functions within the business. Most companies also have a data security team, led by a chief information security officer (CISO). These executives oversee locking down data and systems to ensure sensitive information is not stolen or inadvertently shared publicly. They are ever-alert to the next big malware attack and work to keep security technologies up to date across the company. They also manage employee access rights and other internal data security initiatives.
But when it comes to regulations, who oversees what? Regulation requirements can be confusing, and compliance will require a collaboration between data and security teams. It is critical to understand what the company needs to do to meet regulation requirements and then work together to design a path toward compliance. It is essential to name executive ownership of the data privacy program and map out how that person will ensure regulation compliance across the organization. That person will ultimately be accountable in the event of regulatory questions, punitive consequences or data breaches.
Implement data security solutions that streamline compliance processes: Privacy regulation compliance begins by getting a better handle on data. Data identification and categorization tools can provide an understanding what types of data is within an organization; how sensitive each type is and also how each type should be treated to comply with data privacy policies. Rather than add another layer of complexity onto operations, these tools should streamline processes by integrating with any other security tools your organization already uses—such as data loss prevention (DLP) technologies, cloud access security brokers (CASB) and enterprise digital rights management (EDRM) tools.
Consider tools that employ machine learning: It may sound complicated, but machine learning can have the opposite effect on consistent implementation of privacy policies consistently across an organization. With these types of tools, a data steward trains machine learning algorithm to help users identify and label data as they create documents and send emails. Based on the type of data a user is dealing with, the tool then gives an instruction for how to handle the information according to regulations and policies. As policies evolve, the data steward retrains the algorithms to help make the data categorization tools more effective. As the tools become smarter and smarter, certain aspects of policy management can be automated.
Ultimately, businesses must be able to identify sensitive information across their enterprise—at creation and at rest. They need to encrypt and protect that information when it is in motion, whether it’s being emailed or uploaded to a cloud repository. And they need to apply identity and access technologies to ensure that all data is being shared with the appropriate people.
By getting ahead of the game and implementing a foundation of data privacy policies that include identification and categorization for better information-handling, organizations can ensure they will be ready to meet any regulations regardless of which region initiated them.
Despite their positive intentions, legislators and regulators have posed major problems for corporate counsel by failing to foresee the enormity of the task of audit-able compliance, both within the public and private sectors.
So if anything,as we approach two years is a timely opportunity to reflect on whether or not guidance from legal practitioners – in-house or external – has been capable of execution.
GDPR policy direction and regulatory enforcement
Compliance: The story so far the good and the not so good
In practical terms, the private sector has largely taken the GDPR seriously, providing direction on active and demonstrable consent to retail customers. Anecdotal evidence has also suggested that the “privacy by design” concept is being respected when it comes to integrating compliance features into new products and services. In one instance, a global UK-headquartered bank CDO has made sure that anonymisation is in place when analysing its Personal Data to improve its wealth management products and services.
Yet, surprisingly large institutions, especially the insurance and recruitment sectors, are still at an mid stage of data discovery. This includes identifying precisely where, and in what form and volume, Personal Data lies across their legacy data landscape. As a result, such discovery should be urged by legal counsel, along with a gap analysis on their processes and technology – at least to provide an in-flight road map for remediation.
Beyond sanctions: The business benefits of successful compliance
While defending against fines and reputational damage is undoubtedly front of mind for the private sector, there are several positive up-sides to effective GDPR compliance – all worth the attention of legal practitioners.
Promoting GDPR compliance to improveoperational efficiency
Deletion of unwarranted Personal Data retention has led to two major UK insurers to pro-actively down-size the “dark data” they hold, representing on average in excess of 30 per cent of all information held by corporate. This has resulted in reduced back-up and data storage costs and, in turn, increased ROI. Simultaneously, they have effectively cleansed data in anticipation of executing digital transformation initiatives.
Using GDPR as a benchmark for better due diligence during M&A
This can be applied both from the point of view of a subsidiary sale, as well as the data discovery necessary on a subsidiary purchase.
Provisional linkage of data in all formats for revenue gains
By ensuring compliance, organisations have the ability not only to facilitate replies to a Subject Access Request, but also achieve greater goals from compliant data mining and value extraction – ultimately leading to enhanced revenues.
The GDPR ambiguity
For legal counsel, the GDPR has sparked a host of complex issues from both the regulatory enforcement and policy guidance side. However, for the perceptive the regulation has, somewhat paradoxically, provided a key opportunity for executing key business goals and driving a competitive edge
Legal Counsel and internal compliance teams need a full 360 view of GDPR and promote the benefits of the regulation.
Start your 360 review today by booking a GDPR Comprehensive gap analysis and remediation assessment and report
clear and comprehensive information about the purposes of, or access to, the information in the cookie are provided to the user; and
the consent of the user has been obtained (unless the cookie falls within the “strictly necessary” exemption – as described further below).
The ICO Guidance has now helped to clarify the above requirements.
The key points are as follows:
Clarification of the “strictly necessary” exemption
User consent is not required for cookies which are “strictly necessary”. The ICO Guidance clarifies that this means that the use of the cookie must be “essential” for the provision of the service which has been requested by the user or to ensure compliance with applicable law.
The ICO provides examples of the types of cookies which would fall within the meaning of “strictly necessary”. Perhaps not surprisingly, advertising cookies, such as the Facebook pixel, which are commonly used by retailers and allow them to target users online (for example, through their social media accounts) are not considered to be “strictly necessary”.
Examples of the types of cookies which would benefit from this exemption include those which:
remember the goods in a user’s basket when a user is shopping online; or
are required to provide adequate security standards to ensure compliance with the GDPR.
It follows that cookies which are often considered important but are not essential to the provision of the service to the user or for compliance with the law do not come within the strictly necessary exemption. This means that “performance cookies”, such as Google Analytics, which measure the way in which individuals use a website and can help to evaluate the success of promotions and campaigns are not covered by this exemption.
Clear and comprehensive information
In relation to cookies, this means that online organisations need to review and update their cookie policies to ensure that these are drafted in a sufficiently clear and easily accessible manner for a normal user to be able to understand how cookies are being used on the website.
The standard of consent is high
The ICO confirmed that the standard of consent for using cookies is the same as that set out under the GDPR, even for cookies which do not involve the processing of personal data. Under the GDPR consent must be:
fully informed and freely given;
express as opposed to implied;
specific (that is, not bundled with other matters); and
capable of being withdrawn.
So implied consent can no longer be relied on for cookies. Websites which use non-essential cookies without specifically requiring users to consent to these upon their first access to a site are therefore not compliant. As a result, non-essential cookies need to be switched off until a user has taken an affirmative act to opt-in to the use of these.
Of the various online organisations’ websites that we reviewed at the end of November 2019, a large proportion of these were still relying on implied consent, using language along the lines of: “By continuing to use our website, you consent to us using cookies in accordance with our cookies policy”. This does not constitute a valid consent under the relevant regulations.
Take home points
If past history is anything to go on, it would be reasonable to expect the ICO to seek to make examples of businesses which do not comply in the future. Meanwhile it is the case that the ICO is currently receiving a large number of complaints in relation to cookies and it can be expected that this is also resulting in bad publicity for the retailers concerned on social media.
Irrespective of the above potential ICO fines and bad publicity, retailers are being trolled by some individuals who are bringing court cases claiming infringement of data protection law and forcing retailers to settle out of court by paying them off.
Brexit will, therefore, finally go ahead on 31 January 2020.
Now that the withdrawal agreement has been passed by parliament, the government will have until 31 December 2020 to negotiate the UK’s future relationship with the EU – although it is still possible for this deadline to be extended.
No trade deal of this size and complexity has ever been agreed between the EU and a third country in such a short time, so the risk of the UK’s trade relationship with the EU defaulting to WTO (World Trade Organization) terms still exists.
During the 11-month transition period, EU law – including the EU GDPR (General Data Protection Regulation) – will continue to apply in the UK.
This post explains what we know so far about how Brexit will affect international transfers of personal data after 31 December 2020.
Speak to a Data Protection expert
If you need guidance or advice on how Brexit will affect your organisation’s data protection obligations, get in touch with one of our experts. Simply call +44 (0) 121 582 0192, or request a call back using the form at the foot of this post.
The EU GDPR entered into force on 24 May 2016, before the UK’s referendum on EU membership. Following a two-year transition period, the Regulation took effect on 25 May 2018, superseding the EU’s DPD (Data Protection Directive) 1995 and all member state law that implemented it – including the UK DPA 1998.
Although it applies directly in member states with all the force of a domestic law, the EU GDPR leaves certain areas to individual member states to interpret and implement. In the UK, this is achieved by Part 2, Chapter 2 of the DPA 2018, which should be read alongside the Regulation.
As well as modifying the EU GDPR, the DPA 2018 applies a broadly similar regime of data protection – known as “the applied GDPR” – to certain areas that fall outside the EU GDPR’s scope, including processing by public authorities.
It also sets out data processing regimes for law enforcement purposes and the intelligence services.
Data protection law in the UK after Brexit: the UK General Data Protection Regulation
Although the EU GDPR will no longer apply directly in the UK at the end of the transition period (31 December 2020), UK organisations must still comply with the Regulation’s requirements.
First, the DPA 2018 enacts the EU GDPR’s requirements in UK law.
The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 also provides that transfers of personal data from the UK to the US that rely on the EU-US Privacy Shield can continue. See Post-Brexit international data transfers: adequacy decisions, below, for more information.
There is very little material difference between the EU GDPR and the proposed UK GDPR, so organisations that process personal data should continue to comply with the EU GDPR.
The EU GDPR will – like all other EU regulations – continue to apply in the UK until the end of the transition period (31 December 2020).
From this point, the UK GDPR will apply.
The UK will be classified as a third country from the end of the transition period. Until an adequacy decision is reached, UK organisations that process personal data on behalf of EU data controllers will need to rely on other measures – such as standard contractual clauses or binding corporate rules – to transfer personal data from the EEA to the UK. This is discussed in greater depth below.
Most organisations that provide goods or services to, or monitor the behaviour of, EU residents will also have to appoint an EU representative, under Article 27 of the EU GDPR.
The EU GDPR’s requirements as implemented by Parts 3 and 4 of the DPA 2018 will continue to apply for law enforcement and intelligence purposes.
Post-Brexit international data transfers: adequacy decisions
In order for international data flows from the EEA to the UK to continue unhindered after Brexit, the European Commission will need to determine that the UK, as a third country, offers personal data an adequate level of protection via an adequacy decision as per Article 45 of the EU GDPR.
The UK hopes that, by enacting the EU GDPR’s requirements in domestic law it should be able to demonstrate that it will continue to enforce international data protection requirements after it leaves the EU.
To date, the Commission has adopted 13 adequacy decisions: with Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the US (for companies certified under the EU-US Privacy Shield). Talks with South Korea are ongoing.
Both the EU and UK hope to complete the adequacy decision process within the transition period, although it is worth noting that there is significant time pressure: the last third country to strike such a deal with the EU was Japan, and that process took just over two years. The UK has only 11 months.
If an adequacy decision is not reached by 31 December 2020, organisations in the UK will have to rely on binding corporate rules or standard contractual clauses to transfer personal data from organisations in the EEA. (The EU GDPR also makes provision for personal data to be transferred to third countries based on approved codes of conduct – such as the EU-US Privacy Shield – but no such code has been agreed for transfers from the EEA to the UK yet.) It is important to note that, as the UK’s ICO will no longer be a supervisory authority under the EU GDPR, it will not be able to approve binding corporate rules for transfers of personal data from the EEA to the UK. Such binding corporate rules will, therefore, need to be approved by a supervisory authority within the EU.
Infringements of the EU GDPR’s requirements for transferring personal data to third countries or international organisations are subject to the higher level of administrative fines: up to €20 million or 4% of annual global turnover – whichever is higher.
Prudent organisations that process EU residents’ personal data should therefore put measures in place to ensure they continue to comply with the law after 31 December 2020 in case no adequacy decision is reached.
As to transfers of UK personal data to the US, the draft Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 makes provision to preserve the effect of the EU-US Privacy Shield in the UK in the event of a no-deal Brexit.
US organisations that participate in the Privacy Shield will have to update their “public commitment to comply with the Privacy Shield to include the UK”.
Expert support: Accessing specialist expertise from experienced DPO’s with the right skillset to navigate the new data processing and data security landscape can be difficult, time-consuming and expensive. By outsourcing to us, your organisation benefits from:
Access to a team of expert DPO’s with a proven track record;
Cost savings in recruitment, employment and retention;
Truly independent DPO’s, which means there are no conflicts of interest between the DPO and other business services;
Access to a team of experts working at the leading edge of their field with visibility of the latest trends and application of best practice; and
A service that is flexible according to your organisation’s needs, with pricing to match.
Before the General Data Protection Regulation (GDPR), came along organisations were almost habitually collecting large sums of data that were often stored and processed by third parties on their behalf. Though many of these organisations may have had a vendor risk management (VRM) program in place, the GDPR’s increased focus on the risks of outsourcing cloud hosting and data processing activities, extensive extraterritorial scope, and hefty fines have placed a new sense of urgency on the need for robust VRM programs.
Throughout our series on vendor risk management, we will discuss the ways VRM is changing today, from the biggest challenges, to strategies for identifying and mitigating vendor risks. In this post, the GDPR, its impact on third-party risk management, and how your VRM program must evolve to meet these new requirements.
How has the GDPR affected third-party vendors?
The GDPR has placed an extraordinary level of accountability on third-parties (those companies that process data on behalf of other companies). Under the GDPR, in-scope vendors must increase security and privacy measures around personal data-processing activities. The regulation has five key articles pertaining to the new responsibilities of third parties:
Article 28 (2), Processor’s Duty: Blocks data processors from engaging another processor without prior specific or general written authorisation of the data controller.
Article 30, Records of Processing: Mandates data processors to maintain a detailed inventory of EU residents’ personal data.
Article 32, Security of Processing: Mandates data processors to implement information security controls.
Article 33, Breach Notification: Mandates s processors to report any incidents and breaches without undue delay.
Article 36, Prior Consultation: Mandates processors to perform Data Protection Impact Assessments (DPIA)and consult with Supervising Authorities where processing of personal data results in a high risk to the rights and freedoms to individuals.
While the regulation has expanded the requirements for vendors, the responsibility for incidents or data breaches remains within the data controller. This has led many organisations to restructure and strengthen their VRM programs. Steps organisations should take to align their VRM program with the GDPR? are…
Step 1: Assessing your VRM program against the GDPR
The first step in aligning a VRM program with the GDPR is building a vendor assessment framework that addresses the organisation’s specific requirements and incorporates recognised best practices. Developing this framework requires gathering and reviewing existing policy and procedures documentation, evaluating vendor questionnaires, selecting metrics for vendor assessments, and identifying opportunities for improvement.
Step 2: Determining baseline assessment criteria
Controllers can use the GDPR as an opportunity to strengthen the baseline requirements necessary for vendor relationships. The types of services vendors provide and the purpose for data sharing, and the data types the vendor will access should determine which required levels of data security standards a vendor must meet.
Concerning GDPR compliance, controllers must be able to identify in-scope vendors that have access to and/or may be processing EU personal data. When evaluating whether a third party will meet the organisation’s baseline security and privacy requirements, organisations should consider:
Leveraging onboarding and security checklists and in-depth questionnaires (to identify systems, processes and personnel, as well as the data elements that will be involved in the relationship, and the controls in place to safeguard the data shared in the relationship, for example);
Performing vendor risk evaluations based on predetermined criteria that the organization places value upon (for example, through questionnaires/audits to identify higher-risk vendors, such as those who process a higher volume of data and/or sensitive EU personal data on behalf of the organization)
Implementing vendor monitoring practices using privacy and security metrics for reporting and to evaluate control performance, especially for vendors or potential partners that will have access to sensitive data and/or EU personal data.
What are the specific requirements that should be included in third-party contracts under the GDPR?
Once an organization has determined that a vendor meets their baseline requirements and decides to enter into a contractual agreement, the contracting organization should ensure that the contract includes specific GDPR requirements, such as:
Establishing limitations for cross-border transfers,
Defining the data controller/processor relationship and the specific details of the purpose(s) for which data will be used,
Mandating that data should not be processed beyond the purpose for which it was shared with the vendor, and
Establishing the processes the third party will use to report any incidents or breaches to the organization.
What should vendor evaluations include under the GDPR and how often should they be carried out?
After a third-party vendor relationship has been established, a necessary, but often overlooked, step is conducting periodic vendor reviews. These evaluations and assessments should include the review of contracts, the lawful bases for data processing, security measures, and legal obligations. Data controllers can leverage the information gathered during base-lining activities to help in these evaluations. They can also track their third parties based on the information obtained through the assessment activities. For example, this can be a review of documented technical and organisational safeguards found in SOC reports, contracts, or other types of attestation, which can be used to verify that the processor aligns with the necessary standards and controls for data protection and privacy, the requirements of the GDPR, and your organisation’s unique requirements.
Third-party relationships will require a renewed focus for organisations who must be GDPR compliant. During the coming years of the GDPR especially, organisations and their vendors will need to reevaluate key processes, policies, and contracts to ensure they meet these GDPR requirements. Vendors will need to develop a firm understanding of their new data protection responsibilities under the GDPR, as well as the consequences of noncompliance, and make necessary changes to secure the data they handle on behalf of their clients.
Contracting organisations must establish a detailed framework for their VRM program that aligns with the GDPR, identify opportunities for improvement, and carefully evaluate their current vendor relationships. Under the GDPR, both organisations and their vendors have the heavy responsibility of protecting data subjects’ information, a task that requires careful evaluation, improvement, and ongoing maintenance.
Relentless Privacy and Compliance specialises in helping companies build and manage third-party organisation management frameworks to evaluate and improve their vendor risk and data protection programs and has a team of experts dedicated to understanding the requirements of the GDPR.
Relentless GDPR Assessment provides controllers with a comprehensive gap analysis and risk report enabling controllers to make sound partnership decisions and fulfil their compliance requirements.
What is the impact of maintaining (ROPA) under the GDPR?
In this blog we focus on the technical and operational aspects of how organisations can create an overview of existing data processing activities. For some countries this is not an entirely new requirement, as organisations in for example the Netherlands and Belgium are already familiar with the obligation of notifying processing activities to the local Data Protection Authority.
This responsibility for organisations, laid down in article 30 of the GDPR, requires a full overview of the processing activities that take place within an organization, but also requires these activities to be documented accordingly. This will require a proactive approach from, and collaboration within, organisations.
What does this obligation entail for controllers?
Each controller has a responsibility to maintain records of all the processing activities which take place within the organization. These records (which need to be in writing, as well asin electronic form) must contain all of the following information:
(a) the name and contact details of the controller and where applicable, the data protection office;
(b) the purposes of the processing;
(c) a description of the categories of data subjects and of the categories of personal data;
(d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
(e) the transfers of personal data to a third country or an international organization, including the documentation of suitable safeguards;
(f) the envisaged time limits for erasure of the different categories of data; and
(g) a general description of the applied technical and organisational security measures.
Furthermore, the controller or the processor (please refer to the next paragraph) need to make the records available to the supervisory authority upon request.
And what about processors?
In general, the GDPR does not only require more responsibility from the controller, but it also requires more responsibility from the involved data processors. Therefore, this obligation is also applicable to processors. Each processor will have the responsibility to maintain records of all categories of processing activities carried out on behalf of a controller, containing:
the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable and the data protection officer;
the categories of processing carried out on behalf of each controller;
transfers of personal data to a third country or an international organization, including the documentation of suitable safeguards;
a general description of the applied technical and organisational security measures.
Operational and technical measures
Organising records of all the data processing activities that take place within in your organization, could pose a challenge. Especially when these kinds of processing activities take place decentralised within different departments or business units. How can this stream of information best be coordinated, where should records be stored and more importantly, how should these records be maintained and kept up-to-date? Below a few practical tips and tricks are outlined.
1. Involve the business
As data processing activities take place across your organization, it is key to localise the stakeholders which play a role at the beginning of the development or design of a product, process, system, application or project. These people have the main insight into the data processing activities and will be of extreme value to create and maintain the overview. Involve the business when your organization starts to think about the underlying process that is needed to generate these records. Make them aware of the benefits and the added value for your organization.
2. Design (and align) a process, with clear roles and responsibilities
When you have your stakeholders involved, the next step is to determine the process in which the records must be obtained, checked, added to a central register and kept up-to-date. Be aware that lot of the required information will most probably already be obtained by performing Privacy Impact Assessments (DPIA’s). If there is an existing supporting process, explore to what extent this new process can be aligned. This will coordinate the required effort, and will prevent the business from providing the required information twice.
Also, make sure that clear roles and responsibilities aredefined when the process is being developed. Think about responsibilities with regard to the collection of the required information, including the information into a centralised register and updating the information in the register when needed.
Do not forget to involve other competences as well, such as IT, compliance, procurement and legal, as they could also greatly benefit from the information. Think of the contracts in light of the procurement process in case processors are (going to be) involved. The information will be of great value in settling data processing agreements.
3. Create a central register for the records.
The records that must be kept, should be stored in a centralised manner. Depending on the infrastructure of the specific organization, explore how to support the fundamental process. Preferably, organisations should not “seek refuge” in Excel sheets, as easy as it might be – but rather use a proper tool. In this way one centralised system will provide a full overview of the processing activities that take place within the organization. Of course in this scenario people have to be aware of the proper technical measures, such as access and authorisation rights (not everyone should be authorized to change or alter information). The market for privacy tools is expanding rapidly, and it is good to think about the technical requirements and possibilities within your own organization.
Is this obligation a burden or could it become a valuable asset for organisations?
This requirement under the GDPR will require some extensive effort. The organising part requires a lot of the business, but also of the privacy professionals involved. To convince the business of the added value of these records – besides the fact that it is an obligation of which non-compliance could lead to fines up to EUR 10.000.000 or 2% of the total worldwide annual turnover – will take time. Keeping in mind the development of the process, but also exploring and implementing the technical measures, it will be a time consuming process. Moreover, don’t forget to keep track of existing processing activities: not only new data processing activities must be recorded, but also the activities that are taking place at the moment (and maybe have been for years).
However, there is also something to gain. The records will provide an overview of all data processing activities within your organization, and therefore enable organisations to get a grip on what kind of data categories are being processed, by whom (which departments or business units) and for which underlying purposes. This knowledge will allow organisations to make connections internally, join efforts or projects with the same or equivalent goals and / or challenges and it can result in increasing control over data processing activities. This will provide insight into risks and required mitigation actions, and will inevitably result in empowering organisations to do more – and in a well-ordered manner – with the available personal data.
Relentless GDPR 247 is an ideal compliance platform for decentralised teams in different timezone’s access and collaboration is easy making article 30 ROPA maintenance seamless.
Founder of Relentless Privacy and Compliance Services one of the fastest growing global privacy consultancy companies of 2019. Currently serving clients in 6 global regions
Strictly Necessary Cookies
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.