Technical and Organizational Controls in a Processor Agreement: How do you make them work?
By Marianne Korpershoek
When an organization outsources its processing of personal data, the GDPR requires the company to only use processors that can provide adequate guarantees for their security level. In itself, laying down the security requirements in a data processing agreement was a rule that was already covered by the old law, but with the ‘guarantee’ requirement that an organization will now need to have is a big step further in assuring whether there are actually sufficient technical and organizational controls implemented by the processor. Especially now that there are more and more providers of handy apps and cloud applications in which tasks are taken care of.
Consider, for example, an app for pre-employment checks, for video job applications, and so on. Can you still rely on the Guidelines on the Protection of Personal Data1 published by the Dutch Privacy Authority five years ago, or are there other guidelines that must be taken into account? Below is a step plan to construct the processor guarantee required by the GDPR.
In any case, the Guidelines contain a scheme that includes all the steps for the proper security of personal data. It uses the Deming cycle for continuous improve- ment: Plan, Do, Check and Act. This article concentrates mainly on the Check phase, because at this stage it can be checked whether the processor (supplier) offers sufficient security guarantees. But to be able to check carefully, it is important to know what needs to be checked. This must be determined in the Plan and Do phases. Clearly, before an organization knows which security measures are necessary to protect its data, it is necessary to have a good risk analysis of the consequen- ces of theft, corruption, or loss. For example, given the risks, medical data simply requires more security than the membership administration data of a community garden association.
Step 1 Determine Risk Categories
The GDPR requires that a controller must make an inventory of the risks in the processing of personal data before the processing starts. This means that the security measures will not be the same for all processing operations. In order to be able to assess the required level of security, it is important to determine the risk categories of the proces- sing operations in the planning phase.
Once a processor is contracted, it can be determined which minimum-security controls are necessary to guarantee a good level of security with the help of the risk categories and possibly a business impact analysis (BIA). The security controls can come from the ISO-standard 27001 for information security. These security requirements can also be obtained from the abovementioned Guidelines. As the security risks increase, for example because highly sensitive personal data is being processed, such as medical or ethnic data, more security controls will be needed to reduce these risks and prevent them where necessary.
Certainly, the information from the DPIA (Data Protecti- on Impact Assessment) can also be used to determine what the security level should be.
Step 2 The Business Impact Analysis
The BIA is used as the first step for establishing a business continuity plan, but can also be a good way to determine privacy risks when hiring an external proces- sor. A BIA measures the consequences for the loss of confidentiality, integrity and availability of a company’s data. Usually the consequences are measured in money, but of course these can also be expressed as risks for the privacy of those involved. Controls for the confidentiality and integrity of data have the most impact on the security of personal data. Linking the right security controls to privacy risk profiles is a task that must be performed by a security expert.
Step 3 The Data Processing Agreement
As noted above, the controller should choose a processor that provides adequate guaran- tees for appropriate technical and organizational controls. The GDPR also stipulates that a processor must cooperate in audits by the controller or a designated organization. The processor’s security controls must also take into account the state of the art. This means that the controller and processor, especially in case of high risk processing, must regularly keep up to date with any new security advancements.
Of course, the controller can regularly audit the proces- sor, but it is even more practical to request assurance reports from the processor. Because the state of the art is constantly changing considerably with technological developments, on the one hand, and, the increasing trend of cybercrime on the other hand, it is important that both the controller and the processor have regular (such as at least annual) consultations about evaluating and adjusting security levels. This is particularly impor- tant in cases of large processing operations of data which can create many privacy risks. These consultations must, therefore, also form part of the processor agreement.
Step 4 Audit or Assurance
Assurance goes a step further than certification. For example, with a certification for information security, it is checked whether the processing implemented the security controls. With assurance such as ISAE 3402-SOC 2, for at least six months, it is checked whether the security controls over the processing are actually being complied with. In contrast to the ISO 27001 certification, an ISAE assurance report is less detailed. In the context of the ISAE, the auditor assesses the processes that affect the client’s financial statements. ISO 27001 certification is a more detailed report, but because a test of actual use is lacking, an ISAE 3402 SOC 2 assurance can ultimately offer more certainty. More and more large service organizations, such as Amazon Web Services and Microsoft can provide ISAE 3402 SOC 2 assurances. However, that is not often the case for smaller service organizations or suppliers of specific tools, applications or apps.
Certainly for sensitive personal data or other personal data that poses a great risk, such as location data, a type 2 assurance should always be requested. At the moment, however, the market of SAAS-providers is still immature. Large parties such as Microsoft and Amazon Web Services do offer assurances, but smaller parties that usually offer one application are often not even certified for information security. As long as this market is still immature, a controller will have to create and enter into contractual provisions that will ensure that the agreed security is safeguarded. For example, a controller could require a guarantee in the processor agreement for implementation of the agreed security measures. Furthermore, in the purchasing phase, an active search should be made for a processing provider who can offer the security level established by the controller in the Plan phase. In certain cases, a controller will have to reject a processing provider that cannot offer sufficient security guarantees.
The GDPR imposes stricter requirements on the selection of a processor. At present, the market of SAAS-providers is immature. There are not many SAAS-providers who have a clear and transparent security policy that is attuned to the privacy risks of the personal data being processed. The GDPR offers the possibility to rely on approved certification techniques. However, these certification techniques are not yet available. As long as the SAAS-provider market remains immature, it is important for the controller to first determine the risks of processing a certain category of data and establish what the security controls should be, before the provider selection takes place. Furthermore, it is important that the implementation of these controls are adequately mandated by including guarantees in the contract concerning the controls and that audit rights or assurances are included so that compliance can be checked.
About the author
Marianne Korpershoek is Lead Legal Counsel Global ICT programs & operations at DSM. She is an experienced lawyer in complex IT-cases, privacy and procurement on IT. She has profound knowledge of IT, digital & AI and the business.
This article is written in a personal capacity.