Step 5 – Vendor Management
Through the GDPR looking glass…
“She generally gave herself very good advice, (though she very seldom followed it)” – Why all entities processing data should follow the “very good advice” to “know your Vendor”
In Step 2 of our GDPR blog series, we talked about the importance of data mapping, and knowing where data is being sent to and who is handling it.
In addition to the obligation to data map, data controllers are obligated to ensure that their vendors properly handle personal data entrusted to them. As we have seen with data mapping, there is usually a data processing chain created when conducting pre-employment screening – so any data controller should look not only at how it handles the relationship with its data processor (which we will explore further in a blog post later in the series), but also how that data processor manages its own vendor relationships.
The Past – the wrong side of the looking glass
Although there has been a greater focus on privacy in response to some well publicised data breaches in recent times, there has remained a tendency for parties to rely solely on contractual terms to manage risk around good governance on privacy issues when dealing with service providers. How many legal departments have spent hours negotiating liability caps for data breach or chewing the fat over use of subcontractors and data transfer clauses?
But will that change in the future?
The Future – through the looking glass
In some ways, no, there will be no change as the GDPR requires that the data controller document the obligations of its data processors in commercial agreements. However, it is also likely that there will be much more active risk mitigation. This goes to the heart of the data privacy principle of “accountability”.
The reason for this is that Article 28 of the GDPR states that “The Data Controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the Data Subject”.
What this seems to mean is that even though a regulator can fine a data processor directly for a violation, if that same regulator does not believe the data controller has met the obligations under Article 28 then the regulator can fine the data controller for that same violation.
We therefore expect that when choosing a data processor a data controller will want to conduct thorough due diligence. In context of pre-employment screening services, because there is a chain of custody of personal data, the data controller will also want that data processor to demonstrate that it conducts its own due diligence on any vendors it uses to fulfil the services.
The Present – stepping into the looking glass
What does this mean for data controllers and data processors in the run up to 25th May? In most cases a vendor management policy/process flow will already be in place and there will be commercial terms governing the controller/processor relationship. However, in light of GDPR these policies and processes will need some “zhuzhing”. Some ideas to consider are:
- Review agreements with vendors to cover Article 28 (more on this later on in the series), and to set out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data, categories of individuals whose data is being processed, and the obligations and rights of the controller
- Put in place a team that deals specifically with vendor procurement/strategy
- Data map!
- Compile and maintain an inventory of vendors and contracts categorising vendors in relation to risk
- Maintain audit controls based on the risk categorisation of vendors
- Utilise technology for a programmatic approach to managing vendor procurement and vendor audit
- Include escalation processes in any vendor management policy together with outline remediation processes
- Agree how results of any vendor audit will be shared
Taking a strategic and programmatic approach to vendor management as both a data controller and data processor is very good advice: managing vendors means managing processing risk and lessens the risk of a regulator declaring “off with their heads” if anything goes wrong.