As outlined in a recent article on reducing privacy risks when outsourcing, organizations entrusted with the personal data of their customers need to do their due diligence when engaging service providers who will have access to this information. This article now focuses on the service provider, or data processor/sub-processor who is presented with a detailed data protection agreement/data processing agreement (DPA) or some equivalent.
The processor (that is, an organization that processes or hosts personal data as required to perform their services for their client/the data controller), often feels a sense of pressure to sign the agreement they are presented with. They may in fact already have access to the personal data in question, but are now being told by their client that its ‘company policy’ to get all processors to sign their DPA right away. Indeed, with legal frameworks like the EU General Data Protection Regulation (GDPR), the California Consumer Protection Act (CCPA) and most recently the Brazilian General Data Protection Law (LGPD) which will be enforced next year, cross-border data transfers have become complicated. With such laws delineating what accountability looks like when entrusting a third party in a foreign jurisdiction with personal data, service providers are being asked to sign off on detailed privacy and security clauses. Furthermore, now that the EU-U.S. Privacy Shield framework has come crumbling down, further confusion abounds.
Canadian processors I have worked with recently have also been presented with Standard Contractual Clauses even if they are processing personal data strictly in Canada. This is not necessary as the European Commission granted Canada adequacy status under the EU Data Protection Directive, the GDPR’s predecessor, due to Canada’s overarching legislative privacy framework. There is some concern that Canada may lose this designation in the future if our privacy laws are not strengthened, but with our existing designation, controllers must understand that SCCs are not necessary when the personal data of EU residents will be processed strictly in Canada.
Overall, it is important for service providers to be careful about what they are committing to. Don’t assume you’re being presented with a ‘take-it-or-leave-it’ arrangement. It may appear this way, but many controllers are willing to discuss the DPA and adjust it to appropriately reflect the relationship. As a processor, in addition to ensuring the jurisdictions involved in the data flow are accurately reflected, it is also important to understand:
- The specific details of the information security program and privacy framework that you are committing to have in place under the DPA. It is critical to be clear on how requirements can be practically achieved by your organization and whether there are certain security controls that need to be redefined;
- Whether and how any standards referenced in the DPA, such as ISO 27001 or SOC 2, must be taken into consideration;
- How to respect data subject rights as may be referenced in the DPA;
- Whether your privacy breach management procedure meets the controller’s expectations with respect to breach reporting;
- Whether your sub-processors are appropriately identified and whether the commitments they are making to you are adequate in light of the DPA’s requirements; and
- Who should be responsible going forward for ensuring information security and privacy commitments made continue to be respected.
What could go wrong if you sign a DPA without ensuring you’re complying with it? It’s in the context of a data breach that a controller may turn to a processor looking for avenues to spread the liability. Your due diligence is therefore critical.
For assistance with understanding a DPA or an equivalent agreement presented to you by your client, contact PRIVATECH. We pride ourselves on not only providing legal advice to processors being presented with a DPA, but also providing practical advice on implementing privacy and information security programs that reduce the risk of a breach and demonstrate a commitment to data protection.