From IT solutions to DPO services, accounting, and customer services, the global outsourcing sector is expanding to support the needs of organisations across all industry sectors.
According to a report by Infiniti Research, the global outsourcing market is expected to grow by $75-89 billion between 2023 and 2027, with a compound annual growth rate of 6.5%.
By outsourcing specific processes, or even whole business functions, companies can focus on what they do best, which helps improve efficiency and productivity. However, it is important to understand the implications and responsibilities of using a vendor, especially when there is access to personal dataInformation which relates to an identified or identifiable natural person..
Vendors are typically referred to as businesses selling goods or services, but in the context of the General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR), vendors are partners, suppliers, and third parties with access to personal data.
Data protection laws require organisations to safeguard the security of any personal data being processed and non-compliance can lead to reputational damage and penalties. It is, therefore, essential to ensure that your contracted vendors also comply with the necessary data protection regulations.
In this blog, we explain the difference between the roles of data controllersEntities (such as an organisation) which determine the purposes and means of the processing of personal data. and processors and delve into the vendor due diligence processA series of actions or steps taken in order to achieve a particular end., providing you with essential steps to maintain compliance with the GDPR.
Please note that when we refer to the GDPR here, we mean both the EU GDPRRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data (General Data Protection Regulation). and the UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU.. Although there are certain differences between the two, for the purpose of our discussions, we’ll use GDPR as a collective term to represent both regulations.
In determining the different roles and levels of responsibility in handling personal data, the GDPR makes a distinction between the terms ‘controller’ and ‘processor’:
The controller exercises overall control over the personal data being processed and therefore shoulders the highest level of compliance responsibility.
The processor has less overall control over the personal data but is responsible for ensuring the data processing is in line with the instructions of the controller. There are also some direct legal obligations for processors, including notifying the controller in the event of a data breach, ensuring appropriate data security measures are implemented, and keeping a record of data processing operations.
What this means in practical terms – consider this scenario:
A healthcare company (the controller) collects personal data from European patients in order to provide medical services. The data is stored and managed on a third-party cloud storage platform (the processor) and includes information such as names, addresses, and medical histories.
In the above example, the healthcare company, must ensure any personal data collected is handled in strict accordance with the GDPR. This includes providing clear privacy notices, ensuring personal data is processed according to an appropriate lawful basisIn the event of processing personal data, an appropriate rationale in order to process personal data., and safeguarding the security of the data, including any onward transfers of personal data outside the EU.
Before engaging with the third-party cloud storage company, the healthcare company needs to assess the cloud storage company’s data protection practices and identify any risks. These risks must be reduced or mitigated prior to the cloud storage company obtaining access to any personal data.
Once contracts are signed, the cloud storage company must follow the instructions of the healthcare company and ensure robust safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the... are in place. In addition to other responsibilities, in the unfortunate event of a data breach, the cloud storage company must notify the healthcare company without undue delay, ideally within a timeframe that allows the controller to mitigate any risk to their data subjects. We commonly see “within 48 hours of becoming aware of the breach” within contract terms but this should be assessed on a case-by-case basis.
It is important to note that the GDPR only affords controllers up to 72 hours after becoming aware of a personal data breachAn incident which leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data. to report the breach to the relevant regulatory authority. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, the controller must also inform those individuals.
Under Article 28 (1) of the GDPR, there is an obligation for controllers to ensure processors provide sufficient guarantees that their data processing meets the requirements of the GDPR and safeguards the rights of data subjects.
This means that, as a controller, you bear the responsibility of safeguarding your customer’s data from additional risks when engaging with a specific vendor. It is, therefore, crucial to assess whether the vendor is dependable in managing the data in strict compliance with data protection laws.
Additionally, you need to ensure that a vendor will not compromise your own systems and data, particularly in situations where there is integration or connection of systems.
An effective due diligence process should include a review of the vendor’s policy and procedural framework, operational infrastructure, and data security measures. Risks can be identified and mitigated to ensure personal data is processed in line with the controller’s standards and GDPR requirements.
A due diligence process is typically started by issuing a questionnaire and should include these 5 steps:
Step 1: Understand the data handling practices
A due diligence questionnaire should include a request for documentation including the vendor’s privacy policy and any voluntary or mandatory risk assessment documents such as Data Protection Impact Assessments (DPIAs) that have been carried out on the services they will be offering you.
You need to ascertain these important details:
Step 2: Assess the policies and procedures
The next important step is to assess the vendor’s data protection policies and procedures to ensure they are essentially equivalent to your standards.
These should include at least:
The vendor needs to evidence that suitable controls are in place for data processing, including any sub-processors they may use. They should also demonstrate their commitment to maintaining these controls through regular audits and reviews.
Step 3: Evaluate the technical security measures
It is important to ensure that technical safeguards are in place to protect personal data from unauthorised access, alteration, disclosure or destruction.
These security measures can include measures such as:
Step 4: Review international data transferThe movement of data from one place to another. This could be, for example, from one data controller to another, or from one jurisdiction to another. controls and processes
If personal data is being held outside the EEA and/or the UK, the processor will need to evidence that an appropriate international transfer mechanism is in place.
Practically, this means ensuring your contract requires the processor to implement appropriate transfer agreements for their own transfers and any onward transfers by their sub-processors.
In many cases, these may require the implementation of Standard Contractual ClausesStandard Contractual Clauses are legal tools to provide adequate safeguards for data transfers from the EU or the European Economic Area to third countries. or one of the other suitable mechanisms under the GDPR.
Again, if the data is classified as high-risk data, evidence of a DPIA should be included.
Read: Standard Contractual Clauses (SCCs) for data transfers
Step 5: Mitigate risks & draw up a Data ProcessorA third party processing personal data on behalf of a data controller. Agreement (DPA)
If any risks have been identified during the assessment process, the vendor needs to be required to address them before proceeding.
For example, if the vendor’s network does not have any alerts for suspicious activity or intrusions, system alerts can be set up and evidenced back to you.
The final step is to then draw up a Data Processor Agreement (DPA), which should include these important details:
For a template DPA download our GDPR Policy Toolkit
Conducting due diligence on vendors is vital for assessing and mitigating risk and ensuring compliance with the GDPR. The process allows for a thorough evaluation of a vendor’s operational procedures and data protection safeguards before entering into a contractual agreement.
A comprehensive due diligence process should include a questionnaire that covers the five key steps of assessing a vendor’s data handling practices, policies and procedures, technical security measures and any international data transfer controls and processes. The final step is to mitigate any risks before drawing up a data processing agreement (DPA).
These steps can also be followed for any existing suppliers or outsourced services, although it is advisable to conduct a pre-qualification risk assessment stage. Most organisations have numerous suppliers, and it would be too time-consuming to review them all. In this situation, a preliminary assessment is useful to identify which suppliers need to be investigated further based on certain criteria, such as GDPR relevance, risk level, and the nature of the data being handled.
If you need help with your GDPR compliance or are thinking about outsourced data protection services, please get in touch by completing the form below.
FOR MORE UPDATES AND NEWS, FOLLOW US ON LINKEDIN
Fill in your details below and we’ll get back to you as soon as possible