One of the key aspects of data protection compliance is procurement or third party vendor compliance. The Data Protection Act provides that where a data controller desires to use the services of a data processor, then he must first ascertain that the data processor has put in place sufficient safeguards for data protection.
Who is a data controller? A person responsible for determining the purpose and means of processing personal data. Examples include banks, schools, hospitals, telecommunication companies, employers, online retailers etc. On the other hand, a data processor is an organisation or person that processes personal data on behalf of the data controller. In other words, a data processor is a supplier or vendor appointed by the data controller to process personal data on its behalf. Some examples of data processors include payroll processing agencies, insurance providers, pension providers, IT solution providers, market research companies, lawyers, accountants, etc.
The duty to provide adequate oversight on the data protection capabilities of data processors is set to change the procurement landscape in various ways. For instance, procuring entities must first understand the data handling practices along their supply chains. The assessment will cover evaluation from the pre-contracting stage to the off-boarding process. Although it sounds daunting, the exercise is nevertheless necessary for any company that intends to achieve meaningful data protection compliance. Let us now consider some of the ways in which vendor procurement will be impacted by the data protection law.
1. Stringent pre-engagement due diligence
Section 42 (2) of the Data Protection Act imposes an obligation on data controllers in relation to selection of their data processors. In particular, a data controller can only opt for a data processor who provides sufficient guarantees and safeguards for data protection. Thus, the data controller must undertake some form of pre-engagement assessment to confirm the vendor’s data protection capabilities. A typical data privacy and security assessment involves taking an in-depth look at the vendor’s data handling and management practices. For example, you may need to look into:
- the adequacy of the vendor’s information security policies and controls. This includes reviewing their existing governance and security framework against your minimum expectations.
- details of the vendor’s technical certifications, security policies and procedures.
- how the vendor intends to comply with your privacy and security practices.
- the vendor’s past history in respect of handling personal data e.g. have they had security breaches or incidents in the past?
The pre-engagement due diligence can be achieved in various ways. For example you can roll out a robust Request for Proposal (‘RFP”) document which outlines your minimum expectations for data protection. Alternatively, you can ask prospective vendors to fill out a due diligence questionnaire which you can use to assess the supplier’s current practices. All in all, the due diligence process is set to become stricter and more involving for the procurement teams.
2. Requirement for data processing agreements
Pursuant to section 42 (2) (b) a data controller and data processor must enter into a written contract. In essence, this contract provides that the vendor shall only act on the instructions received from the data controller. In addition, it creates an obligation for the vendor to abide by the obligations imposed by the data controller. Examples of the matters included in the contract are:-
- the data controller’s minimum standards/expectations for data privacy and security.
- allocation of responsibilities
- requirements on appointment of a data protection officer
- requirements on sub-contracting including data protection obligations for sub-contractors
- prohibitions on third party disclosures and access of the data controller’s systems, other than for intended purposes
- data retention and disposal requirements
- data breach management and response plans
- protection of data in the case of an international data transfer
The upshot is that data controllers should expand their contractual processes to cover personal data processing.
3. Coordinated approach to data breach management
Section 43 deals with the notification of personal data breaches to the Data Commissioner. In particular, section 43 (1) (b) places an obligation on Data Controllers to notify the Data Commissioner and affected data subjects of personal data breaches within 72 hours of becoming aware of the breach. Similarly, a data processor must also report a breach albeit to the data controller and not the Data Commissioner. The data processor’s report should be made within forty eight (48) hours of the data processor being made aware of the breach.
In practical terms this means that when a data processor experiences a data breach, it impacts not only the data processor but also the data controller. For example if a bank outsources its customer database to an sms marketing company and a breach occurs, the bank will bear the responsibility for reporting the breach to the Data Commissioner. In addition, the public will place the blame squarely on the bank. The bank’s reputation will suffer as much, if not more, as the sms marketer’s reputation. Most likely the bank will have to deal with the customer backlash and queries relating to the breach. It will also face a huge litigation risk.
Due to the high risks emanating from personal data breaches, data controllers and processors should adapt a coordinated approach to data breach management. One way to achieve this is through use of data breach incident management plans. Further the data processing agreement should contain clear provisions on allocation of breach reporting responsibilities.
4. Monitoring and evaluation
Once a supplier is identified and engaged, the data controller should not sit back and relax. Instead, they should proactively monitor and evaluate the vendor’s data processing activities and capabilities. The procurement process should take into account scheduled audits and spot checks for all suppliers that handle personal data. Apart from audit’s controllers may also need to consider conducting vendor risk assessments. These can help you to determine what interventions a vendor may require in terms of controls and monitoring. Another aspect to consider is data security. Vendor access to networks and systems should be restricted as much as possible and checks and balances should be put in place to maintain the restriction. Finally, the data controllers need to ramp up their internal security measures and controls by deploying proactive and defensive IT strategies such as anti-virus, firewall technologies, DNS filtering, network access control etc.
5. Roll out a Data Protection Policy
In addition to contracts, procurement should also consider disseminating a data protection policy to suppliers. The policy should outline expectations in relation to handling of customer data, sharing data with third parties, data subject access requests, information security etc. A robust policy alone may not be adequate in enforcing compliance. Training the vendors on expectations provides more assurance that the vendors understand their expectations. It also builds trust with the vendors and makes compliance more of a partnership journey.