Up to this point in our Guide To Data Privacy And Security, we have covered how to prepare and build your data privacy framework, explored both policies and procedures, defined the role of accountability, provided some guidelines to create an effective third-party management process, and the best approach and tools to assess your vendors.
Now, let’s consider you were successful in structuring an assessment process, and you have approved a vendor from a security perspective. What are your next steps?
Based on GDPR, LGPD and Pipeda among many other privacy regulations, you must set in stone all data processing-related responsibilities implemented by your sub-processor with a finalized document named the Data Processing Agreement (DPA).
Why Are DPAs So Important?
A data processing agreement (DPA) is a legally binding document between the controller and the processor. It regulates processing activities, as described in the GDPR Article 28 (Section 3):
- The processor agrees to process personal data only on the written instructions of the controller. Everyone who comes into contact with the data is sworn to confidentiality.
- All appropriate technical and organizational measures are used to protect the security of the data.
- The processor will not subcontract to another processor unless instructed to do so in writing by the controller, in which case another DPA will need to be signed with the sub-processor.
- The processor will help the controller uphold their obligations under the GDPR, particularly concerning data subjects’ rights.
- The processor will help the controller maintain GDPR compliance with regard to Article 32 (security of processing) and Article 36 (consulting with the data protection authority before undertaking high-risk processing).
- The processor agrees to delete all personal data upon the termination of services or return the data to the controller.
- The processor must allow the controller to conduct an audit and will provide whatever information necessary to prove compliance.
The GDPR, for example, requires data controllers and processors to take measures to ensure the protection of personal data they handle (Security of processing). If these organizations decide to outsource any data processing activities, they must demonstrate they have an assessment and monitoring process in place that guarantees that their sub-processors maintain the same level of security.
The objective of this document is to ensure vendors are held accountable when handling your information throughout the data life cycle. Your processing agreement should also include specific clauses about data deletion and portability in the case of contract termination.
Other important points stated above are:
- The right to audit these vendors to assess traceability of their systems and accountability, and
- Collaboration in case there is a data breach (which we will explore a bit further).
Your Requirements For Breach Notification
This is your chance to document your requirements in the case of data security incidents. It should be known there are specific requirements based on legal notification to data authorities, but your company must also have an internal data incident response procedure that abides by internal demands.
One important tip here: Make sure your DPA reflects your own requirements as well. If you want your vendor to notify you within 24 hours in order for you to have time to investigate the incident or activate your forensics team, it should be written in the DPA. Documenting first and second responders to incidents notification might also save you from bigger problems.
Defining Your DPA’s
The main point of Data Processing Agreements is for data controllers to register all requirements that might apply to data disclosed with vendors. From encryption and other technical controls, to the type and frequency of training, it is expected that the processors’ employees have mechanisms and processes in place for secure data flow.
A Guide to Data Privacy and Security
Part 2: Policies and Procedures
Part 3: Accountability
Part 5: Supplier Assessment Process
>> Part 6: Data Processing Agreements
Part 7: Data Categorization and Mapping
Part 8: Privacy Assurance
How can StandardFusion help?
StandardFusion is a comprehensive GRC software that contains a vendor management system. Within the tool, users can classify vendors and assign customized requirements depending on the type of data and risk associated with each specific processing activity. Each vendor profile can be connected with different DPAs and can also store signed agreements for future reference. Speak with our team today and see how you can create and manage multiple DPA’s and vendors with StandardFusion.