As a Data Controller, should you be auditing your Processors?
Whilst there has always been a responsibility on Data Controllers (those who collect and determine how personal data is processed) to ensure that their Data Processors (organisations actually doing the processing on the request of the Controller) are compliant (particularly with security) the GDPR upped the liabilities and responsibilities of both Controllers and Processors.
Specifically Article 28 of the GDPR introduced two key points:
- Controllers shouldn’t use Processors who are not compliant and are unable to demonstrate as much
- A contract has to be in place between the Controller and Processor with Article 28 (3) actually listing the minimal terms of that contract to bind the Controller and the Processor to specific data protection requirements
This means that if you are a Data Controller and you are using a third-party Data Processor to process your data, then you need to carry out due diligence and make sure there is some kind of contract or agreement in place. And you must remember that “processing” has a wide definition so this isn’t just about Data Processors sending out marketing materials for you and processing your email list, this is about anyone who is processing your data and that will include cloud storage (Dropbox, OneDrive, you local server hosting company, etc.), cloud (or SaaS) services (e.g. your CRM), etc.
But is it as straightforward as that?
Accountability and responsibility
The accountability principle (Article 5(2)) introduced in the GDPR requires that Data Controllers “shall be responsible for, and be able to demonstrate compliance with” all the other data protection principles (processed lawfully, retention, etc.). Plus Article 24 (“Responsibility of the controller”) of the GDPR requires the Data Controller to “implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with” the GDPR and that these “measures shall be reviewed and updated where necessary“.
Typically, when we think about demonstrating such measures, we think of:
- Auditing our business’ data processing activities and systems
- Documenting our processing activities
- Having a suite of data protection related policies in place across the business
- Training our employees so they understand their role in data protection compliance and what the law says
- Having someone who acts as a data protection lead (perhaps a Data Protection Officer, Manager or Champion)
- Keeping all these requirements under review, refreshing training, policies, etc.
But, actually this needs to go a bit further that just this, when we consider those Article 24 requirements and more specifically the requirement to ensure these “measures [are] reviewed and updated where necessary“. This introduces the issue of understanding what “reviewed” actually means in the context of compliance and the bad news is that we don’t really know how this is to be or should be interpreted.
The best the ICO (the Information Commissioner’s Office that regulates data compliance) can manage is to suggest that these reviews should be carried out at “appropriate intervals”, whatever that might actually mean. Plus we know from previous ICO reports (such as the April 2018 audit of some volunteer charities) that the ICO does expect organisations to be able to demonstrate they carry out routine compliance checks.
So, that’s fine. We can assume that we should “regularly” (maybe annually) review our processing activities, consider any changes in law or guidance that may influence what we’re doing or what needs to change in policy documents and remind our employees that data protection still applies to all the data processing they’re doing. We can also spot check teams who process data to make sure they’re applying company policy and data protection principles.
But should you be doing more than that to demonstrate your ongoing compliance?
Back to Article 28
Article 28(3)(h) is one of the contractual requirements between the Controller and Processor:
[the processor should] make available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
This specific contractual requirement seems to be interpreted in many ways. Some Data Processing Agreements have the clause but include a cost element (usually cost to the Data Controller), others have stipulated that they will provide evidence if and when necessary — there doesn’t seem to be any consistent approach. But the Hub has also seen that for some Data Processors, some Controllers are enforcing these terms strictly, setting out (a) that the Processor must carry out annual audits and (b) some stipulating the audit standard required.
But on the whole, this does seem to be a clause implemented in the contracts between Controllers and Processors and not much more and we haven’t heard of many actually enforcing this part of the contract — true, it is early days yet as GDPR is still bedding in for most businesses.
Auditing and demonstrating compliance
So if we bring the two elements (regular reviews to demonstrate ongoing compliance and the Controller/Processor contract requirement for the Processor) together, this means that if you’re a Data Controller then perhaps, by way of demonstrating your own compliance, you need to have carried out an audit or at least got audit-evidence from your Data Processors.
That’s one interpretation. The other could be that you would only need to act on Article 28(3)(h) implemented in your contract terms if you had any doubt about the competence of your Processor.
The latter interpretation works better if you have lots of Data Processors as you could claim that you don’t need to audit some of the bigger, well known organisations as “of course they’re compliant”, but as we know, can we make that assumption — it wouldn’t be the first time we’ve heard about a “big name” being caught out (Marriott Hotels, Facebook, Uber, etc.) — can you be sure that your big suppliers really are compliant?
Plus, if you go down the route of ultra-compliant and do start enforcing the “audit” clause in your Processor agreements:
- Who’s going to pay for it? And if it’s you, how much is it going to cost you — you’re either going to have to do it yourself or get a consultant to do it for you.
- Are you really going to be able to go to Microsoft and Google and the big players and send in an auditor?
And if your Processors go down the route of saying they will supply you with their own audit reports, will you trust them as being comprehensive enough or be able to interpret the results?
Furthermore, are you asking your Processors to provide you with the results of their own internal audits — do they have a report to share with you?
What this all means in reality
Whilst the black and white of the law suggests you should be carrying out audits on your third-party Data Processors in reality, it comes down to two things:
- A risk assessment
- Being able to demonstrate that you believe you did the right thing when it comes to data compliance
So in reality, yes the law does say you need to keep your compliance under review (remember GDPR is not just for May 2018!) but equally it would be reasonable for you to take a pragmatic approach.
At the very least:
- Make sure you understand your suppliers’ approach to data protection compliance
- Make sure you have Data Processing Agreements or other contractual terms that reflect the requirements of the GDPR’s Article 28
- Make sure you have recorded this “due diligence” and therefore be able to demonstrate it
- Make sure you review your compliance on a regular basis — we think annually is probably appropriate, but you may need to do this more frequently if you’re processing large amounts of data or you have large turnover of staff, for example
- If you’re in any doubt about your third-party Data Processors either don’t use them, get them to send their own internal compliance audit report (they should have one if they’ve carried out GDPR preparations correctly) or consider activating that “audit” clause in your Agreement and send in someone to double-check
But, there’s a caveat: there’s currently (at the time of publishing this article) no clear guidance or interpretation about the audit requirements between Controllers and Processors, nor are there clear indications of what your frequency for reviewing your own compliance should be, so you will need to keep an eye on precedents set across Europe, further interpretations or guidance from the ICO or the European Data Protection Board (EDPB).
If you want to be ultra-cautious about it and don’t want to be the first test-case where these terms are tested, you’ve got a lot of work to do!
The Hub is here to help
Here at the Digital Compliance Hub we pride ourselves on making your data protection and eprivacy compliance journeys as simple as possible. We support businesses with their compliance by offering a support helpline backed up with a library of support tools, guidance, checklists, templates and advice. If you’re looking for someone to help you get to grips will all aspects of your data compliance, then check us out — you can try us free for 14 days and there are savings for signing up for a 12 month subscription — more information here.
When it comes to the Controller — Processor relationship then we have a number of resources that can help you in our content section dedicated to the Controller — Processor relationship which includes:
- The basics of what you need to know
- A how-to guide about how to carry out third-party Processor due diligence and how to get your colleagues onboard with helping
- Various checklists and walk-throughs
- Document templates and Data Processing Agreement templates for you to adapt
- A Processor Due Diligence Kit
If you don’t fancy signing up to the Hub (which is a shame because you’ll miss out on all the guides, toolkits and support) then you can purchase the Processor Due Diligence Kit as a separate download (no subscription required)