Are Your Vendors Data Processors?
Vendor compliance management is a key starting point towards GDPR compliance. When your organization is deciding whether to use a vendor as part of your GDPR compliance efforts, you must follow GDPR vendor (processor) compliance management best practices.
As a controller, you determine the purpose and means for processing personal data. You have authority and decision-making over personal data and take on the responsibilities of a controller as outlined in the law. Any of your vendors that process personal data of EU data subjects will be defined as “processors,” or the natural or legal person who processes personal data on your behalf. Processing is essentially anything done to personal data, including storing, archiving, transmitting, compiling, erasing or reviewing.
Determining which of your vendors process personal data under GDPR requires identifying which data elements from which data subjects are processed by each vendor – this is part of the process called “data mapping.”
Once you’ve determined which of your vendors must comply with GDPR, you must understand which GDPR requirements apply to processors. Articles 2-3, 5-23, 27-33, 37-39, and 44-49 all describe GDPR requirement specific to processors and must be followed in order to attain GDPR compliance.
One way to contextualize processor requirements is by understanding the required contract elements for controller-processor relationships.
Contractual Agreements That Are GDPR Compliant
Contractual agreements are a major aspect of vendor compliance management. Article 28 describes processor requirements, including the requirement to establish a contractual relationship between controllers and processors, and provides details on what components must be included in contractual agreements.
The European Commission or Member State supervisory authorities may adopt standard contractual clauses for certain matters, but contractual agreements between controllers and their processor vendors must be in writing and stipulate the following:
- The subject-matter, duration, nature, and purpose of the processing activities
- The type of personal data included in processing activities
- The categories of data subjects included in processing activities
- The obligations and rights of the controller
- The processor will only process personal data based on documented instructions from the controller
- The processor ensures that persons authorized to process personal data have committed themselves to confidentiality
- The processor takes all measures required for the security of processing (Article 32)
- The processor respects the conditions for engaging another processor – specifically, prior notice to controllers and the opportunity for controllers to object
- Taking into account the nature of the processing, the processor must assist the controller by implementing appropriate technical and organizational measures, as a part of the controller’s obligation to data subjects’ rights
- The processor assists the controller in ensuring compliance with the obligations of Articles 32-36, which includes security of processing, data breach notification to supervisory authorities and data subjects, and data protection impact assessments
- At the choice of the controller, the processor must delete or return all personal data to the controller after the end of the completion of services relating to processing, and deletes existing copies unless EU or Member State law requires the storage of the personal data
- The processor makes all necessary compliance information available to the controller
- The processor will allow for and contribute to audits conducted by the controller
If you’re reading this and thinking, “I’m a processor. What should I do to show I’m a GDPR compliant vendor?” then you should go through the list of items required in each contract between controllers and processors to identify whether you can comply with each of the requirements.
By using the contractual requirements as a guideline for GDPR compliance, not only will you reduce your risk of regulatory fines, you will also gain a competitive advantage by proactively pursuing GDPR compliance. By demonstrating that you meet the needs of GDPR compliant contractual agreements, you can provide controllers with the assurance they need.
If you are a controller, there are at least two questions to ask and answer for processor oversight:
- Have you updated your contracts ensure that each agreement contains all of the GDPR required elements?
- Are you following vendor compliance management best practices to ensure that processors are fulfilling their contractual and regulatory obligations?