By Steve Mellings
Founder of Asset Disposal and Information Security Alliance (ADISA) and COO of DP Governance Limited
The press is awash with the GDPR feeding frenzy from experts peddling fear. Anyone who has actually read the legislation will know that, whilst there are several new key concepts, the GDPR is really just a sensible extension of existing data protection requirements but with a fundamental change to empower the data subject to have far more rights on their data then before.
So with just over six months to go before Ireland is required to have the GDPR enshrined into law, this article will look at one area which has seen quite a few changes, Data Processors, and will try to provide some sensible advice on how this can be one area where compliance need not cost the earth.
What is a Data Processor?
This may seem a little basic but it’s important for organisations to actually define what a Data Processor is. The legislation says “processor means […] a public authority, agency or other body which processes personal data on behalf of the controller.” Cross reference that to the definition of processing which is: “any operation or set of operations […] such as collection, recording, storage, […] erasure of destruction”, and we should have a fair idea what the regulators are referring to and where our focus needs to be.
So, we can see in real terms, if you as the Data Controller use a third party for any of the processes suggested in Article 4 (2) then they are a data processor and need to be treated as such. In my experience this brings a whole range of partners into scope who have traditionally been viewed as not being part of the info sec/data protection remit. Examples are telemarketing, payroll, and of course, IT Asset Disposition (ITAD) companies.
Many of you will be starting your GDPR journey and, as such, your Register of Processing Activities (ROPA) should identify these processes and processors, but don’t allow your bias to preclude the glaringly obvious from being included. An Asset Disposal and Information Security Alliance (ADISA) 2012 FOI report showed that 66% of UK Police Forces were breaking the Data Protection Act 1998 because they didn’t view their asset disposition partners as Data Processors and therefore had no contract in place with them. Sometimes the glaringly obvious gets overlooked even by those we expect to know better.
As this example shows, just because something is written into law it doesn’t mean organisations will comply. So what makes GDPR any different?
New obligations for Data Controllers and Data Processors
The first major difference is that under the GDPR, Data Controllers are expected to show far greater controls over the selection and management of data processing partners. There is now a requirement for Data Controllers to screen their data processors prior to use. Controllers must look for guarantees of TOMS (technical and operational measures) (article 28 1) while also requiring processors to sign up to industry codes of conduct and hold relevant certification. (Article 28 5)
In addition, unlike previous DP laws, the Processor must now behave differently when engaging with a Data Controller. Not only must they be far more transparent about the processing activities which they undertake and how they protect data, they must also now accept EQUAL liability for a data breach. Under previous legislation the data processor only held contractual liability, not legal. This has changed with the GDPR and, as such, Processors must be aware of the potential exposure they now face. With fines in the event of a data reach reaching up to 4% of global turnover, all of a sudden, poor processing activities could be disastrous for many organisations.
Another significant change is the use of sub-processors. In some recent work at Data Protection Governance (DPG) we helped identify over 40 previously unknown sub-processors within an organisations data processor partner network. The issue stemmed from poor or non-existent contracts and service specifications being in place. All of these are now in scope and subject to proper onboarding, management and assessment. Without this type of granular review, a data breach in any one of these would leave the data controller, almost certainly, holding the liability on their own.
Step 1 to Compliance when dealing with Data Processors: The Contract
With all of these new obligations, the most critical document which is mandated to now exist is the contract between Controllers and Processors. Under the GDPR both parties must now have a contract in place in order for them to meet their obligations. The specification of these contracts is included within Article 28 3(a) but these requirements are relatively high level. So, what should be included in these contracts to protect both parties? The answer to that will largely depend on the nature of the processing being undertaken so let’s identify one example: IT Asset Disposition (ITAD) services.
Most contracts I have seen within this sector are largely based around business commercials. Slightly bland, legal documents which provide a basis for working together. They are normally supported by a Statement of Works (or something similar) which gives a very high level of service specification. It is this last piece where Data Controllers must be careful. This service is different from many other Data Processor services because whilst the primary focus is on data erasure the Data Processor does not (or should not at least!) access the data itself. Therefore, the normal risk mitigations within GDPR are measured by assurances that the correct technical and operational measures (TOMS) are going to look very different than TOMS presented for an organisation holding your data on their network. So whilst a focus on standards like ISO 27001 are good, these can, and often do, offer little in the way of assurance over risk mitigation in the ITAD process. Let’s expand on that.
The ITAD’s role is to manage the physical asset and then to perform a data sanitisation process on the media within that asset to ensure the data is no longer available. So, key parts to this service are the creation and management of the chain of custody (asset assurance) in the process. We see all too often organisations releasing assets with very little confidence that they know precisely what they have released. Asset lists are largely box counts and even then, inaccurate. So without this key starting point evidencing control of the ITAD process, how can the Data Controller evidence assurance and control over the processing activity? If they don’t know what’s being processed then surely all bets are off?
So when the assets have been collected what security countermeasures are in place to decrease the potential for theft or loss? How are the assets returned to the ITAD? How are they received? How are they then processed in their facility until the point when the data service is executed? All of these factors should be considered and included within the services specification. Within the ADISA certification it is these factors we spend most of our time maintaining with our members as this is where we see the real risk within the process.
Finally, we need to specify how the data is to be rendered unusable? Do we physically destroy the media (and lose the potential residual value and have a negative environmental impact) or do we look to promote re-use and use software overwriting processes? Phrases such as “must delete all data” are not worth the paper they are written on. Data Controllers really must do some research and specify what action is to be taken with each media or product type. Ask your ADISA supplier for their Data Capability Statement and this will give you a good starting point.
Summary
As is now clear, it’s essential for the Data Controller to get deep into the detail to really evidence the level of management of processing activities required under GDPR. At DPG we’ve seen some organisations’ approach to Data Processor management as being rather akin to selecting a vendor at random. Whilst there may be long-standing relationships set up like this, a regulatory authority would look very dimly on any organisation who freely gives personal information held under their control to a third party without a contract being in place including a full specification of services and assurances about the very protection of that data. So why take the risk?
Steve Mellings is presenting on this area at AMI’s upcoming GDPR seminar ‘GDPR Compliance – The Final Countdown’ in Dublin on Thursday, November 23rd. Those interested in attending can register for this free event here (event ended). But you can read the recap here.