Denial is not a river in Egypt
And passing the buck has nothing to do with a deer changing hands
What’s the saying? A bad workman always blames his tools?
Or, to translate that into modern-day GDPR parlance: Hapless data controllers will always try and pin it on their suppliers…
That’s right. We’re talking about the recent debacle that hit the news involving the Tory Party Conference mobile app.
(In case you missed it, a major security flaw in the Tory Conference app made the private data of senior party members – including cabinet ministers – accessible to anyone who logged in as that particular conference attendee. By second-guessing attendees’ email addresses (often by using their parliamentary ones which were listed on the House of Commons website), and without any second layer of security, it meant that the personal data of hundreds of conference attendees could be accessed, including their phone numbers. If that breach in itself wasn’t enough, once logged in as that user, the person’s profile could also be amended!)
As the data controller, the Party pointed the finger at the software developer. And yet, whilst they acknowledged their part in the mishap, the apportioning of blame isn’t as clear cut as it seemed.
You see, if the conference organisers had been up to speed with their data controller responsibilities and carried out the appropriate due diligence when they first outsourced the app, it could have been very different…
Or to put it another way using the (slightly gentrified) 7 Ps adage: Proper Planning and Preparation Prevents ‘Pee’-Poor Performance…
Putting privacy first: how confident are you in your data protection supply chain?
In our previous blog, we talked about how conducting a DPIA (Data Protection Impact Assessment) helps you identify and minimise your data protection risks.
This blog follows on from that and neatly ties in with the Tory Party Conference app example above; that is, as the data controller, you need to put privacy first and know your supply chain!
And how, as the data controller, it’s your responsibility to understand the flow of data into and out of your business. Had the Tory Party done that, it’s highly likely that the incident could have been avoided.
Making sure you’re covered with a contract – denial is not a river is Egypt!
It’s not easy being a data controller, especially a responsible one. But it is easy to find out and understand what’s expected of you.
And that’s why you can’t just pass the buck down the supply chain. Yes, the data processor was at fault (and quickly rectified the glitch); but the controller should have thoroughly reviewed its suppliers and assessed the risks of using them.
As with the case above, if you’re a data controller outsourcing a task to a third party that involves personal data, you should have a written contract in place so that both parties clearly understand their roles, responsibilities and liabilities. It’s that important.
What’s more, the GDPR makes written contracts between controllers and processors a general requirement, rather than just a way of demonstrating compliance.
Here are some ICO contract pointers and need to knows:
- Controllers are liable for their GDPR compliance and, therefore, must only appoint processors who can provide ‘sufficient guarantees’ that GDPR requirements will be met and data subjects’ rights will be protected.
- Although processors have some direct responsibilities under the GDPR and may be subject to fines or other sanctions if they don’t comply, they can only act on the documented instructions of a controller (unless required by law to act otherwise).
- All contracts need to include the following details:
- the subject matter and duration of the processing;
- the nature and purpose of the processing;
- the type of personal data and categories of data subject; and
- the obligations and rights of the controller.
- The processor must take appropriate measures to ensure the security of processing and keep records of processing activities.
- The processor must assist the data controller in meeting its GDPR obligations regarding the security of processing, the notification of personal data breaches and data protection impact assessments.
- The processor must provide the controller with whatever information it needs to ensure compliance, cooperate with supervisory authorities (such as the ICO) and submit to audits and inspections, and inform the controller immediately if there’s a risk of infringing the GDPR.
- If a processor employs a sub-processor to manage the task, it needs the prior consent of the controller as well as having its own written contract in place.
- If the contract is fixed-term, the processor must delete or return all personal data to the controller at the end of that term.
Remember: Proper planning and preparation…
These above are just some of the things you need to know about your third-party processor’s responsibilities and will help to show that you’ve really done your homework on them.
And even if you are prepared to not do the proper checks and run the risk of your supplier being useless, that’s still not really a valid option!
So, that leaves two alternatives – be accountable and appoint a secure processor or be accountable and keep looking until you find one who is!
In the meantime, who’d like to know Boris Johnson’s favourite colour and the name of Michael Gove’s first pet…?
Until next time...