Service Providers and Compliant Data Protection
Engaging a Service Provider necessarily entails a degree of risk to your business. Your in-house
procedures and the records that you generate may demonstrate the highest level of compliance with Data Protection Legislation. When you engage an outside company to provide a service to your business, can you be certain that their Data Protection policies are consistent with yours? Furthermore, are you accountable for their actions?
Regardless of the types of service that your company engages, you still need to take action in order to maintain compliance.
The questions that should be on your radar as a data controller or data processor:
Oversight of Service Providers has been a largely grey area and we have seen great frustration and uncertainty from our clients. How far should your oversight as a data controller extend into your supply chain?
If the personal data of your business is compromised by one of your Service Providers, you may be liable for a hefty fine. Will your company face the dreaded reputational damage? Will there be any changes in this area once the GDPR becomes enforced in May 2018? What are the expectations from the Commissioner? What documents are you expected to hand across the table to the Commissioner?
So where to begin? Please allow us to share our experience and expertise and provide a road map or at least some food for thought.
A Road Map:
Each Service Provider should have a clearly-documented Service Level Agreement with unambiguous terms of engagement. As the saying goes, “If it’s not documented it’s not happening”, and, “if it’s documented but not signed by both parties, it’s just graffiti!”
Your starting point is your List of Service Providers. Regardless of your business size, risk and type, all businesses should have a controlled List of Service Providers. This list should live in a single location and have an accountable person who is responsible for maintaining it.
When you have listed your Service Providers, assign the status, such as Approved, Restricted, Cancelled. On a very high level and briefly, describe the activities with particular reference to handling of personal data.
Consider the 8 Rules (Ireland) or 8 Principles (UK) of Data Protection and the Data Lifecycle in doing so.
Once you have this level of visibility, you can begin to appreciate the level of risk to your company and it may be much greater than you first thought.
Now that your List of Service Providers is taking shape, you are beginning the Risk Assessment process. Risk management and avoidance is a key feature of the new GDPR and you will need to show that you have considered the risk posed by each of your Service Providers.
Don’t fall into the common trap of assuming that a certain Service Provider is low risk and does not need consideration. Document your risk evaluation, even if it is considered relatively low.
Your intention now is to evaluate the risk of each Service Provider by means of a Risk Assessment. The level of evaluation and documentation here should be commensurate with the level of risk. A high-risk activity, such as handling high volumes of sensitive personal data, should be accompanied by a robust, detailed Risk Assessment.
It helps to engage your Service Provider at this stage for clarification on their processes. Keep in mind two key terms: Reasonably Foreseeable and Reasonably Practical, i.e. What risks to personal data and sensitive personal data are Reasonably Foreseeable and what risk reduction measures are Reasonably Practical?
Our Consultants at Sytorus have vast experience of Risk Management in Data Protection and would be happy to assist you with this evaluation.
The end result is to record the risk rating of each Service Provider on your List of Service Providers. Even if each Service Provider is low risk, you still need to show you have thought about it and documented the risk, justifying why it is low.
Review your risk ratings on an ongoing basis. If your Service Provider makes changes to their processes or sub-contracts, then you need to show that you have considered the risks involved and reconsidered the current risk rating.
In the event of a visit by the Data Protection Commissioner, and regardless of the complexity of your business processes, you will be required to provide a List of Service Providers that, as the GDPR states, must be readily available in electronic format.
Sytorus has developed PrivacyEngine, an online tool that allows you to manage your Data Protection documentation such as your List of Service Providers and your Risk Assessments in a centralised, secure repository. This tool also acts as a Document Management System that houses your Policies, allowing you to create, review, check in and out and archive documents as needed.