Vendor due diligence & GDPR compliance: 5 practical steps - Outsourced Data Protection Officers GDPR and Data Protection Compliance (2024)

From IT solutions to DPO services, accounting, and customer services, the global outsourcing sector is expanding to support the needs of organisations across all industry sectors.

According to a report by Infiniti Research, the global outsourcing market is expected to grow by $75-89 billion between 2023 and 2027, with a compound annual growth rate of 6.5%.

By outsourcing specific processes, or even whole business functions, companies can focus on what they do best, which helps improve efficiency and productivity. However, it is important to understand the implications and responsibilities of using a vendor, especially when there is access to personal dataInformation which relates to an identified or identifiable natural person..

Vendors are typically referred to as businesses selling goods or services, but in the context of the General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR), vendors are partners, suppliers, and third parties with access to personal data.

Data protection laws require organisations to safeguard the security of any personal data being processed and non-compliance can lead to reputational damage and penalties. It is, therefore, essential to ensure that your contracted vendors also comply with the necessary data protection regulations.

In this blog, we explain the difference between the roles of data controllers and processors and delve into the vendor due diligence processA series of actions or steps taken in order to achieve a particular end., providing you with essential steps to maintain compliance with the GDPR.

Please note that when we refer to the GDPR here, we mean both the EU GDPRRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data (General Data Protection Regulation). and the UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU.. Although there are certain differences between the two, for the purpose of our discussions, we’ll use GDPR as a collective term to represent both regulations.

GDPR compliance: data controllers and processors

In determining the different roles and levels of responsibility in handling personal data, the GDPR makes a distinction between the terms ‘controller’ and ‘processor’:

• A ‘controller’ is a person or organisation deciding how and why personal data is gathered and used (i.e. a controller determines the means and purpose of processingA specified, explicit and legitimate rationale for the processing of personal data.)
• A ‘processor’ is a person or organisation that handles personal data under the instructions of the controller

The controller exercises overall control over the personal data being processed and therefore shoulders the highest level of compliance responsibility.

The processor has less overall control over the personal data but is responsible for ensuring the data processing is in line with the instructions of the controller. There are also some direct legal obligations for processors, including notifying the controller in the event of a data breach, ensuring appropriate data security measures are implemented, and keeping a record of data processing operations.

What this means in practical terms – consider this scenario:

A healthcare company (the controller) collects personal data from European patients in order to provide medical services. The data is stored and managed on a third-party cloud storage platform (the processor) and includes information such as names, addresses, and medical histories.

In the above example, the healthcare company, must ensure any personal data collected is handled in strict accordance with the GDPR. This includes providing clear privacy notices, ensuring personal data is processed according to an appropriate lawful basisIn the event of processing personal data, an appropriate rationale in order to process personal data., and safeguarding the security of the data, including any onward transfers of personal data outside the EU.

Before engaging with the third-party cloud storage company, the healthcare company needs to assess the cloud storage company’s data protection practices and identify any risks. These risks must be reduced or mitigated prior to the cloud storage company obtaining access to any personal data.

Once contracts are signed, the cloud storage company must follow the instructions of the healthcare company and ensure robust safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the... are in place. In addition to other responsibilities, in the unfortunate event of a data breach, the cloud storage company must notify the healthcare company without undue delay, ideally within a timeframe that allows the controller to mitigate any risk to their data subjects. We commonly see “within 48 hours of becoming aware of the breach” within contract terms but this should be assessed on a case-by-case basis.

It is important to note that the GDPR only affords controllers up to 72 hours after becoming aware of a personal data breachAn incident which leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data. to report the breach to the relevant regulatory authority. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, the controller must also inform those individuals.

Vendor due diligence is a vital process for controllers

Under Article 28 (1) of the GDPR, there is an obligation for controllers to ensure processors provide sufficient guarantees that their data processing meets the requirements of the GDPR and safeguards the rights of data subjects.

This means that, as a controller, you bear the responsibility of safeguarding your customer’s data from additional risks when engaging with a specific vendor. It is, therefore, crucial to assess whether the vendor is dependable in managing the data in strict compliance with data protection laws.

Additionally, you need to ensure that a vendor will not compromise your own systems and data, particularly in situations where there is integration or connection of systems.

An effective due diligence process should include a review of the vendor’s policy and procedural framework, operational infrastructure, and data security measures. Risks can be identified and mitigated to ensure personal data is processed in line with the controller’s standards and GDPR requirements.

A due diligence process is typically started by issuing a questionnaire and should include these 5 steps:

Step 1: Understand the data handling practices

A due diligence questionnaire should include a request for documentation including the vendor’s privacy policy and any voluntary or mandatory risk assessment documents such as Data Protection Impact Assessments (DPIAs) that have been carried out on the services they will be offering you.

You need to ascertain these important details:

• How will the personal data be collected?
• Where will the data be stored?
• Who will have access to the data?
• Are there any sub-processors and, if so, what are their data handling practices? Sub-processors are third parties hired by the processor that will potentially have access to the personal data
• How long will the data be stored? The GDPR requires organisations to retain data only for as long as necessary for the purposes it is held
• Do they have any certifications, such as Cyber Essentials Plus, ISO9001 or ISO27001/701? These demonstrate commitment to embedding appropriate practices throughout the organisation

Step 2: Assess the policies and procedures

The next important step is to assess the vendor’s data protection policies and procedures to ensure they are essentially equivalent to your standards.

These should include at least:

• Privacy policy and privacy noticeA clear, open and honest explanation of how an organisation processes personal data.
• Data breach responseAn organisation's procedure or approach for recording, investigating, containing and mitigating a personal data breach. procedureAn approved and established way of completing a certain task.
• Data subject access requestA verbal or written request made by a data subject to access their data (in a portable format if requested), be informed about how it is used, to have their data modified if it is incorrect, or to have it deleted. (DSAR) procedure
• Data sharing processes
• Employee data protection training programmes

The vendor needs to evidence that suitable controls are in place for data processing, including any sub-processors they may use. They should also demonstrate their commitment to maintaining these controls through regular audits and reviews.

Step 3: Evaluate the technical security measures

It is important to ensure that technical safeguards are in place to protect personal data from unauthorised access, alteration, disclosure or destruction.

These security measures can include measures such as:

• Encryption: A method of converting data into a code to prevent unauthorised access
• Access controlsA series of measures (either technical or physical) which allow personal data to be accessed on a need-to-know basis.: Security measures that identify users and control their access to data and resources
• Firewalls: Network security systems to monitor and control incoming and outgoing network traffic based on pre-determined security rules
• Intrusion detection systems (IDS): Devices or software applications that detect malicious activity
• Security incident and event management (SIEM) systems: A tool that provides real-time analysis of security alerts generated by applications and network hardware
• Regular security audits: Systemic evaluations of IT systems to measure how well they conform to a set of established criteria

Step 4: Review international data transferThe movement of data from one place to another. This could be, for example, from one data controller to another, or from one jurisdiction to another. controls and processes

If personal data is being held outside the EEA and/or the UK, the processor will need to evidence that an appropriate international transfer mechanism is in place.

Practically, this means ensuring your contract requires the processor to implement appropriate transfer agreements for their own transfers and any onward transfers by their sub-processors.

In many cases, these may require the implementation of Standard Contractual ClausesStandard Contractual Clauses are legal tools to provide adequate safeguards for data transfers from the EU or the European Economic Area to third countries. or one of the other suitable mechanisms under the GDPR.

Again, if the data is classified as high-risk data, evidence of a DPIA should be included.

Read: Standard Contractual Clauses (SCCs) for data transfers

Step 5: Mitigate risks & draw up a Data ProcessorA third party processing personal data on behalf of a data controller. Agreement (DPA)

If any risks have been identified during the assessment process, the vendor needs to be required to address them before proceeding.

For example, if the vendor’s network does not have any alerts for suspicious activity or intrusions, system alerts can be set up and evidenced back to you.

The final step is to then draw up a Data Processor Agreement (DPA), which should include these important details:

• General information – the nature of the data processing, duration, personal data category, and controller and processor’s GDPR obligations and responsibilities
• Security measures – the safeguarding processes and controls expected of the processor
• Sub-processors – the provision for whether or not these are allowed and, if so, under what conditions
• Breach notifications – the specification that in case of a data breach, the processor is required to notify the controller without undue delay
• Audits and inspections – the controller should secure the right to conduct audits and inspections to ensure ongoing GDPR compliance
• End of contract provisions – the contract should specify what happens to the personal data at the end of the contract. For example, the data could be deleted or returned to the controller
• Liabilities and indemnities – controllers should protect their position by requiring processors to indemnify them against all costs, claims, damages and expenses incurred because of their actions. It is important to note that controllers will want unlimited liability, whereas processors should insist liability is capped

For a template DPA download our GDPR Policy Toolkit

Summary

Conducting due diligence on vendors is vital for assessing and mitigating risk and ensuring compliance with the GDPR. The process allows for a thorough evaluation of a vendor’s operational procedures and data protection safeguards before entering into a contractual agreement.

A comprehensive due diligence process should include a questionnaire that covers the five key steps of assessing a vendor’s data handling practices, policies and procedures, technical security measures and any international data transfer controls and processes. The final step is to mitigate any risks before drawing up a data processing agreement (DPA).

These steps can also be followed for any existing suppliers or outsourced services, although it is advisable to conduct a pre-qualification risk assessment stage. Most organisations have numerous suppliers, and it would be too time-consuming to review them all. In this situation, a preliminary assessment is useful to identify which suppliers need to be investigated further based on certain criteria, such as GDPR relevance, risk level, and the nature of the data being handled.

If you need help with your GDPR compliance or are thinking about outsourced data protection services, please get in touch by completing the form below.

FOR MORE UPDATES AND NEWS, FOLLOW US ONLINKEDIN