Your Responsibility for Vendor Security

Almost every organisation shares data with a third party, a vendor of services. This might be with a solicitor, accountant, pension provider, healthcare provider, marketing company and many others. But did you know that under both the Data Protection Act and GDPR, you have extensive legal obligations and risk exposure for the failings of those third parties?

You collected the data, so you are the Data Controller, and your pensions provider etc. is defined as the Data Processor when they are in receipt of that data. Your risk exposure stems from the fact that the full legal responsibility for compliance falls directly on you, the data controller, and not on the data processor.

 

The controller also has a duty to ensure the processor’s security arrangements are at least equivalent to the security the controller would be required to have in place if it was processing the data itself.

 

This so-called Seventh Data Protection Principle (security) requires that, ‘Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh (security) principle —

(a) choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and

(b) take reasonable steps to ensure compliance with those measures.’

The controller also has a duty to ensure the processor’s security arrangements are at least equivalent to the security the controller would be required to have in place if it was processing the data itself. In other words, if you hand over data in the proper exercise of your organisational duties, and the Data Processor suffers a breach, for example, it might be your organisation which has strict liability if the Data Processor did not adhere to your security obligations!

It becomes imperative that you conduct Vendor Audits. Suppose, for example, that after a recruitment company has shared CVs to a prospective client that they receive a Right to be Forgotten request. The recruiters will delete the candidate’s data, and instruct the client to do the same. If, though, the client then fails to delete the data (or cannot find the multiple instances of that data), the recruitment firm has liability.

In summary, the Data Controller must take reasonable steps to ensure security of shared data is maintained. This will include receiving their DPIAs, reviewing the vendors’ policy and procedure documents, and indeed by actual auditing of the processor’s security arrangements.

Beware, a template ‘Data Sharing Agreement’ is not enough, and a formal contract is strongly recommended.

 

 

 

 

Why not share this?