By James Walsh
It is not that long ago that businesses were rushing to put in place contractual terms with their processors to comply with the GDPR’s requirements for the appointment of processors. It was often difficult for businesses to complete appropriate diligence into their suppliers and often specific security requirements to protect against cyber risks were overlooked.
So, remind me of the requirements
The key requirements that controllers (i.e., most customers) need to meet to manage cyber risks with their processors (i.e., most suppliers) are:
- To use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure protection of the rights of the data subject; and
- To have a contract in place with the processor that requires the processor to take all measures required pursuant to Article 32 GDPR, which sets out the standards required for security of processing. The processor should also assist the controller in ensuring compliance with its obligations regarding the security of processing, taking into account the nature of processing and the information available to the processor.
If the processor commits to meet the security requirements, isn’t that sufficient?
The crux of the issue is this: while the GDPR sets out requirements relating to security – i.e., appropriate technical and organisational measures – it is not very prescriptive. The text is inherently legalistic and businesses are often left wondering how to apply the requirements.
So, while a processor may be required to comply with the legal requirements, the processor’s view of what technical and organisational security measures are appropriate may differ from the controller’s own views. Likewise, where processors perform commoditised processing activities, they may not have sufficient knowledge of the personal data and how the controller uses it to assess the risks adequately.
But if a processor commits to meet the security standards of the GDPR, won’t the processor be responsible for any non-compliance?
Clearly, if a processor is responsible for a security failure in breach of the GDPR, then the processor will have direct responsibility under the GDPR. But, there is at least a possibility of the controller facing a fine for the security failings of its processor.
And if security measures are not adequately described in the contract with a processor, it will be difficult for a controller to show it has taken steps required to ensure it is only using processors providing sufficient guarantees to implement appropriate technical and organisational measures. It may also make it difficult for a controller to audit its processor, if the security standards are not objectively set out.
What sort of information security standards should be prescribed in the contract?
There are various key themes that should be addressed in information security standards. Often, it is useful to refer to generally accepted information security standards recognised in the market, like ISO27000 family of requirements or the UK Government’s cyber essentials scheme.
Information security requirements should include organisational security measures, such as:
- having in place and implementing appropriate policies and procedures to address risks identified with respect to the storing, transmission and processing of data in the performance of the services;
- ensuring that appropriate governance arrangements are in place with senior management oversight of cyber security standards;
- maintaining and implementing appropriate security certifications;
- education and training of staff involved in processing personal data;
- procedures for handling data security incidents;
- incident records and logs;
- continuous improvement processes.
In addition, technical measures should cover:
- compliance with particular security standards or certifications relating to the technical environment in which information is stored, transmitted or processed;
- access controls, logs and rights management;
- information barriers and data classification systems;
- physical security requirements – ranging from site controls and CCTV through to clear desk policies, if appropriate;
- technical security requirements appropriate to the services;
- authentication, back-up and deletion standards;
- sector-specific standards where required, such as PCI-DSS compliance for payment cards and network security requirements for telecoms providers;
- specific device controls – for example where mobile devices may be used in the processing of data.
Of course, this list is not exhaustive. Businesses need to think carefully about what best practice looks like for the services in question and what specific risks might need to be addressed with their processors. Short form and longer form information security standards may well be appropriate, depending on the specific processor and the services it provides.
Many of our suppliers refuse to accept our prescribed security standards. What should we do?
There are many reasons why processors may refuse to accept specific security measures imposed by controllers. This is often a matter of economies of scale, where suppliers have designed their services to meet particular requirements and may not be in a position to implement bespoke security measures for every customer.
Likewise, bargaining power often comes into play. In those situations, the processor should be able to provide details of the technical and organisational measures that they have in place as part of their own information security programme, as part of the diligence process to satisfy the controller that they can give appropriate guarantees of their security requirements.
And if the appropriate documentation exists, then clearly this can be set out in the contract, even if the supplier may require the ability to update it as part of the continuous development of the services. It still pays to have a detailed set of information security measures set out in the contract.
Why review supply chain standards now?
It is almost a year and a half since the GDPR came into force – and cyber security risks have moved on. We now know that regulators like the ICO are prepared to propose hefty fines to values reaching into the £tens and £hundreds of millions.
And cyber risks have been front page news for other reasons, like in the development of 5G technology. It is clear that governments and regulators expect businesses to take better action to ensure appropriate security measures are in place to address cyber risks. Following best practice is now more important than ever.