The GDPR and security
In the fourth blog in our series on the General Data Protection Regulation (GDPR), Jessica Bent, partner and co-head of the Technology, Media & Telecommunications team, and Kate Benefer, an employment partner at Royds Withy King, explore the issue of security, data processing agreements and the GDPR.
Compliance with the GDPR is all about IT security, isn’t it?
Not quite. While IT security remains an important issue for organisations to review and consider, the GDPR is clear that throwing technology at a situation will not in itself result in achieving compliance.
In particular, the GDPR requires all data controllers who use data processors to have in place a Data Processing Agreement or a contract that contains such clauses. At first glance, if you think this doesn’t apply to your organisation, you are probably wrong. Given that technology has made it increasingly easy to share data, it is likely that you will use a data processor. Common examples of data processors include software providers, cloud providers, hosting companies, insurance providers and payroll providers.
What is a Data Processing Agreement?
A Data Processing Agreement sets out the data processor’s obligations to the data controller. The agreement should generally include the type of personal data being processed, the lawful basis for processing the data, how long the processing will take place and the obligations imposed upon the data processor. In essence, the data controller is ensuring through the agreement that the obligations under the GDPR are complied with by the data processor.
In practice, the agreement can take many forms such as a data processing agreement, the insertion of data processing clauses into a contract/agreement or an addendum to an existing contract/agreement.
For most data controllers, it will also be important to include indemnities such that if the data processor causes a data breach, the data processor will pay any losses arising (including any fine imposed by the ICO).
Anything else I should know about Data Processing Agreements?
Simply having a signed Data Processing Agreement isn’t enough to demonstrate compliance with the GDPR. We are recommending that organisations adopt a two-step process with their data processors. The first step conducting due diligence in respect of the data processor, and the second step is agreeing and signing the terms of the Data Processing Agreement.
When conducting due diligence, data controllers should assess the data processor’s practices to ensure that they actually “do as they say” rather than simply taking their word for it. In practice, this is likely to be dealt with by way of a questionnaire where the data processor provides information to the controller about the security systems they have in place. For example, these can include details of their IT security system, the policies they have in place to ensure staff comply, and their internal procedures in place to deal with a data breach. The due diligence needs to be more than just a “yes” or “no” answer, and where possible data controllers should seek documentary evidence (i.e. a copy of the relevant policy).
The due diligence also needs to be proportionate. If a data processor is processing special category data (e.g. an occupational health provider processing medical records) then due to the special nature of the data a higher level of due diligence will likely be required.
Data processing outside of the UK
If a data controller deals with a data processor which is based outside of the European Economic Area (EEA), then there are additional steps required in order to comply with the GDPR. In short, the data controller and the data processor outside of the EEA need to make sure that there are appropriate processes and safeguards in place, so that under the GDPR, the rights of data subjects are protected. There are several ways that this can be achieved, and each situation needs to be looked at on its own facts.
Sometimes the EU Commission will have issued an adequacy decision such that the Commission has recognised that the data protection framework in that country, or in a particular certification system (such as the US privacy shield), is sufficient to provide an adequate level of protection of the rights of data subjects. If this is the case, then that adequacy decision can be referred to in the Data Processing Agreement.
Organisations also need to consider their organisation’s IT security implementing a system to ensure any software and procedures are reviewed regularly. Organisations should, where possible, look at the ways to ensure that personal data is stored securely and use encryption where possible.
Organisations should also consider ways in which they could improve their organisations IT security. For example, avoiding using email unless absolutely necessary. Emails can be forwarded and are one of the easiest ways in which a data breach could occur. Organisations could instead use a secure system to deal with the sharing of documents (e.g. CVs for potential candidates). This also avoids the risk of employees retaining documents in an inbox for longer than necessary.
Organisations could also demonstrate compliance by testing their processors. Penetration testing – the mystery shopping of the data world – is where a provider will carry out a simulated attack on the organisations systems to identify the likely weaknesses. By carrying out this type of testing and acting on any findings it is likely to demonstrate that your organisation is taking the security of personal data seriously.
In order to achieve compliance, it is likely organisations will also need to put in place a procedure to ensure that the staff responsible for entering into contracts or renegotiating contracts ensure that the due diligence processes are complied with and the relevant data processing agreements put in place.
Organisations are likely to want to consider implementing or reviewing internal policies focusing on data security. Where staff work at home, the risks are higher given that a third party is more likely to see confidential data on a computer screen or paperwork lying around. It’s therefore advisable that organisations have clear procedures for homeworking. The same applies to staff who use their own electronic device and the organisation cannot be sure if that device has appropriate security. By including a set of clear rules within a policy, this is likely to not only highlight to employees what security measures they should undertake, but will also provide documentary evidence that your organisation has endeavoured to comply with the GDPR.
It’s important to remember that despite an organisation’s best efforts, you cannot always prevent a data breach. In the event of a data breach, the ICO will consider the efforts made by the organisations to prevent a breach and in this scenario the documentary evidence of the attempts to comply with the GDPR will be key. In our next blog in our GDPR series, we will be focusing on the issue of data breaches and the GDPR.
At Royds Withy King, we have a specialist GDPR team who are on hand to assist with any of your GDPR queries. We can also offer everything from staff training to a GDPR retainer to help your business get GDPR ready. For more information, access our GDPR hub here.
For more information on the GDPR and how it might affect your business, please contact Jessica Bent or Kate Benefer
01225 730 100 Email us