If you are a controller considering engaging a processor, you can’t choose the one that suits you best based only on functionality. Even if that processor is selling the perfect product (e.g. software that is very easy to learn, a cloud service with unlimited storage capacity, etc.) or is offering the perfect deal – if it doesn’t provide sufficient guarantees to keep the personal data safe and sound, you have to walk away.
Why? As a controller, you bear the responsibility not only for your compliance with the GDPR, but also for choosing the processor that will process data on your behalf in a secure and compliant way. For this reason, before you start collaborating with any processor, you need to do thorough due diligence. This article aims to clarify what the due diligence part implicates and what you should look for when you engage a new processor.
Before anything else, you need to do a self-assessment and figure out what the nature of the processing will be and what level of risk this processing implicates for data subjects’ rights and freedoms. For example, will personal data regarding vulnerable data subjects be processed? Vulnerable data subjects refer to people who may be unable to consent or oppose the processing of their data or to exercise their rights. Children, employees, mentally ill individuals and asylum seekers are examples of people who may be considered vulnerable data subjects. Or will the processor process special categories of personal data on your behalf? If the answer is yes, you need to be even more careful when choosing the processor and make sure that they have appropriate technical and organisational security measures in place.
After this first step is completed, you can start the due diligence process, which is the first stage of processor management. Here is a checklist with the things you need to look out for when engaging a new processor:
Does this processor have a compliant privacy notice and cookie banner on their website?
The first thing to do is to check the processor’s website and read their privacy notice, in which you may find some positive or some negative indicators. An informative and updated privacy notice or a compliant cookie banner can be a positive indicator that the processor takes data protection seriously. On the other hand, reading a privacy notice that is mentioning Privacy Shield as the transfer mechanism could be a negative indicator, proving that this processor has not bothered to update its privacy notice for more than a year.
Does this processor have technical security measures in place?
The processor must provide sufficient guarantees that they apply technical measures to ensure the security of the personal data they will process on your behalf. Using encryption or pseudonymization for the protection of the data, keeping back-ups, updating their software regularly, following specific protocols for entering any physical storage places by employees, and disposing of paperwork and devices that contain personal data are some measures that you could look for in a processor.
Does this processor have organisational security measures in place, including relevant data protection documentation?
A processor needs to have -in most cases- a Record of Processing Activities, which, if applicable for the specific processor, is a legal requirement. Despite that, the processor shall apply appropriate organisational measures (such as internal data protection/information security policies, data breach protocols, Data Protection Impact Assessments) in place to ensure the security of the personal data they will process on your behalf. The provision of such documentation will enable you to make a more informed decision. Most processors have all the relevant documentation ready for the prospective controllers to examine, which benefits them commercially wise. Have in mind that you may be asked to sign a non-disclosure agreement (NDA) with the processor before they disclose such documentations to you.
Has this processor appointed a Data Protection Officer or another data protection contact person?
A Data Protection Officer (DPO) is an independent data protection professional who helps an organisation to manage its privacy issues. According to the GDPR, in some cases, the appointment of a DPO is obligatory. In case this specific processor is legally required to appoint a DPO but has not fulfilled this obligation yet, it is a very good indicator that it is not taking compliance with the GDPR seriously. On the contrary, if the processor has appointed a DPO voluntarily, despite not having such an obligation, it can be a very positive sign for its respect for data protection.
Also, in case there is no legal obligation to appoint a DPO for this specific processor, and this processor has not appointed one, you can still check whether they have an individual responsible for data protection matters, whether they have communicated with you his or her contact details (name, email address, phone number) and whether this person is easily reachable.
Is the relevant staff of the processor subject to confidentiality obligations?
For security reasons, you want the processor to ensure that anyone it authorizes to process the personal data is subject to a strict duty of confidentiality and that they can only process the data in accordance with the permitted purpose agreed. Therefore, before engaging a new processor you could check if there is a confidentiality clause in the employment contract.
Does the processor hold any information security certifications?
Certifications such as the ISO 27001 assure that the processor has the necessary procedures and controls in place for the defence of their information security. They are a positive indicator that this processor has the appropriate expertise to ensure the protection of personal data.
Has this processor suffered any data breaches in the last year?
A data breach is a situation where data may have been accidentally or unlawfully destroyed, lost or altered, or disclosed to or accessed by unauthorised parties. As a controller, the GDPR obliges you to engage only with processors that can provide sufficient information security guarantees. Therefore, if this processor has suffered data breaches numerous times, it can be a strong indicator not to engage with them.
To what extent does this processor allow the controller to conduct audits?
You have to monitor the activities of the processor throughout the whole lifecycle of your cooperation. For this reason, it is important to choose processors willing to go through regular audits to ensure compliance with contractual obligations. Some processors offer as part of the deal to hire an external auditor to conduct audits at specific intervals and then provide the controller with a written report of the results. Others may allow the controller to conduct onsite audits on its own. Therefore, you need to examine what this processor suggests and see if it is convenient for you.
Will the processor be transferring the data to countries outside of the European Economic Area (EEA)?
You need to examine whether by choosing this processor, you will be transferring the data outside of the EEA. If yes, you must consider whether or not you can find a legal transfer mechanism for the data processing activities that will be undertaken outside of the EEA. As a controller, it is up to you to ensure that you put in place an appropriate transfer mechanism to ensure the rights and freedoms of data subjects remain protected. Often this will be through an EU standard contractual clause agreement.
On the same note, you have to check whether the processor will be transferring the data outside of the EEA by using any sub-processors. First, you need to ask the prospect processor to provide you with a list of any sub-processors they will use for the processing of the data that you will provide them with. Second, if this list contains sub-processors established outside of the EEA, you also have to look for an appropriate transfer mechanism.
It all boils down to this: you are only as strong as your weakest processor. As the controller, regardless of the terms of the contract with a processor, you may be subject to the corrective measures and sanctions set out in the GDPR. These include administrative fines and claims for compensation from data subjects. You need to be able to prove at any point that before choosing your processors, they provided sufficient guarantees for to implement appropriate information security measures. Furthermore, it goes without saying that if you choose a data processor with a reputation which your data subjects do not find acceptable, they may be less willing to do business with you.
What’s next? Transparency is important, so engaging a new processor may require you to modify external documents such as your privacy notice. Moreover, once you have chosen an appropriate processor, you must put in place a contract giving the processor documented instructions to follow. You can read all about negotiating such a contract in the second part of our follow-up blog on processor management, which is releasing next week. Make sure you’re the first to receive the blog by signing up for our newsletter!