Steps to GDPR Compliance: Vendor Management
Post number 5/12 in HireRight's "Steps to GDPR Compliance" blog series covers vendor management, and the way the GDPR means for businesses who transfer data to their vendors.
Step 5 – Vendor Management
Through the GDPR looking glass…
“She generally gave herself very good advice, (though she very seldom followed it)” – Why all entities processing data should follow the “very good advice” to “know your Vendor”
In Step 2 of our GDPR blog series, we talked about the importance of data mapping, and knowing where data is being sent to and who is handling it.
In addition to the obligation to data map, data controllers are obligated to ensure that their vendors properly handle personal data entrusted to them. As we have seen with data mapping, there is usually a data processing chain created when conducting pre-employment screening – so any data controller should look not only at how it handles the relationship with its data processor (which we will explore further in a blog post later in the series), but also how that data processor manages its own vendor relationships.
The Past – the wrong side of the looking glass
Although there has been a greater focus on privacy in response to some well-publicised data breaches in recent times, there has remained a tendency for parties to rely solely on contractual terms to manage risk around good governance on privacy issues when dealing with service providers. How many legal departments have spent hours negotiating liability caps for data breach or chewing the fat over the use of subcontractors and data transfer clauses?
But will that change in the future?
The Future – through the looking glass
In some ways, no, there will be no change as the GDPR requires that the data controller document the obligations of its data processors in commercial agreements. However, it is also likely that there will be much more active risk mitigation. This goes to the heart of the data privacy principle of “accountability”.
The reason for this is that Article 28 of the GDPR states that “The Data Controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the Data Subject”.
What this seems to mean is that even though a regulator can fine a data processor directly for a violation, if that same regulator does not believe the data controller has met the obligations under Article 28 then the regulator can fine the data controller for that same violation.
We, therefore, expect that when choosing a data processor, a data controller will want to conduct thorough due diligence. In the context of pre-employment screening services, because there is a chain of custody of personal data, the data controller will also want that data processor to demonstrate that it conducts its own due diligence on any vendors it uses to fulfil the services.
The Present – stepping into the looking glass
What does this mean for data controllers and data processors in the run-up to 25th May? In most cases, a vendor management policy/process flow will already be in place and there will be commercial terms governing the controller/processor relationship. However, in light of GDPR these policies and processes will need some “zhuzhing”. Some ideas to consider are:
Review agreements with vendors to cover Article 28 (more on this later in the series), and to set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data, categories of individuals whose data is being processed, and the obligations and rights of the controller
Put in place a team that deals specifically with vendor procurement/strategy
Data map!
Compile and maintain an inventory of vendors and contracts categorising vendors in relation to risk
Maintain audit controls based on the risk categorisation of vendors
Utilise technology for a programmatic approach to managing vendor procurement and vendor audit
Include escalation processes in any vendor management policy together with outline remediation processes
Agree how results of any vendor audit will be shared
Conclusion
Taking a strategic and programmatic approach to vendor management as both a data controller and data processor is very good advice: managing vendors means managing processing risk and lessens the risk of a regulator declaring “off with their heads” if anything goes wrong.
Release Date: October 9, 2017
Caroline Smith
Caroline is a UK qualified lawyer with over 18 years’ experience and currently serves as HireRight’s Deputy General Counsel for the EMEA and APAC regions. When not “lawyering” or writing blogs, Caroline can be found striking yoga poses in remote locations such as Mongolia and Bhutan.