Transcript of the Video
Good evening ladies and gentlemen. Suzanne Dibble here. Data protection and law expert coming to you raw and uncut. Tonight I'm talking to you about data processes and data processes liability for sub-processors. It might not apply to all of you, but for those of you that it does apply to it's an important area that I've not picked up before in any of my videos or training. It just occurred to me today because I'm finalizing the brief processor agreement, and I've put lots of notes in there. Hopefully, it will be a lot more self-explanatory and easy to complete, so hope you like that.
But, if you are a processor and you're using a sub-processor, then there are a number of issues around that. Now, what might be an example of a processor using a sub-processor? Well, my accountant, who's a very nice chap, he looks after my payroll, but he outsources that to a payroll company. My account is my processor, and the payroll provider is the sub-processor. That's just an example as to how you would have a processor and a sub-processor. There are lots of other examples. That's just the one that I'm using there.
The first thing to note is that there are restrictions on data processors engaging sub-processors. Excuse me. I have a very sore throat tonight. I'm quoting from the GDPR here, without the prior specific or generally written authorization of the data controller. In my view, it's better if you've got a specific authorization, and the processor agreement is drafted on that basis. Ideally, you want to know who are the sub-processors, and know as much about them as you can. If you give a generally written authorization to the data processor to say yes. You might say as long as they meet these conditions you can appoint a sub-processor.
In that case, the data processor must inform the data controller i.e., you, of any changes ... I say you that's on the basis that you're not a data processor in this instance, but you understand I'm sure if you watched any of our training to know the data controller is the person that controls the personal data relating to the data object. The processor is the person that processes that personal data under the instruction of the controller. So, the controller has to give the specific or generally written authorization in order for the processor to appoint a sub-processor. But, if it's a general authorization, then the data processor has got to inform the data controller of any changes to sub-processors and give the data controller the opportunity to object to those changes. Now, that is included in the data processor agreements. You don't need to remember that. I'm just flagging that.
Now, there's also a number of requirements in the GDPR that given the relationship between the processor and the sub-processor. And what the main things are that the data processor has to enter into a contract that is the same as between the data controller and the data processor. You're kind of passing on that contractual protection down the chain to the sub-processor. The data processor has to ensure that the sub-processor does not process personal data except on instructions from the controller. It's not from instructions from the processor. It's from the controller. The processor can't just dream up things to do with the data subject's data unless the data controller has authorized that. It goes without saying that in my example of my accountant and my payroll provider.
My accountant couldn't just say to the payroll provider, "Oh, this is what needs processing," and make up some figures for example. They couldn't do that. Even if they're trying to help me out, maybe I had been a bit slack on getting back to them in the required timeframe to confirm the monthly salaries for that month. The accountant couldn't say, "Oh well, the salaries have all been the same for the last nine months. I'll confirm to the sub-processor that it's going to be the same for the tenth month." They couldn't do that because the sub-processor has got to be able to process personal data only on instruction from the data controller.
Now, this is the key bit for data processors out there. The data processor remains fully liable to the data controller for the performance of the sub-processors obligations. If your sub-processor doesn't perform on the contract, or there is in some way a data breach that needs remedying or whatever it might be. The data processor is fully liable to the data controller. It's really important to make that sure as a processor you use sub-processors that are GDPR compliant, that have all the appropriate protections and measures in place, and it's really important that as a processor you do due diligence on your sub-processors. What might that look like? Let me find my notes here, and I'll tell you what type of due diligence you should be doing. Sorry.
Here's what you should be thinking about. Looking at and asking questions about what measures they've got in place regarding unauthorized or unlawful processing of their personal data, and against any accidental, loss, distraction or damage. Asking them about what technical and organizational security procedures they have in place to secure the personal data. What processes they have for destroying and archiving personal data. Ask them about their policies procedures, internal controls and training manuals to assess the sub-process capability, to recognize and manage to change data security risks, to conduct appropriate training and oversight of employees, and to meet their contractual requirements under the GDPR. You should do that initially before you actually appoint them as sub-processor, but then keep it under review, so conduct follow up audits and reviews to make sure that they are actually complying with their contractual obligations because if they're not then you're liable for that.
Also, you should be keeping records of categories of data that the sub-processor processes in a form that you could provide to the supervisor or authorities if they requested those from you. With GDPR I think is going to bring into focus the chains of contracts where personal data is being processed. It could be that this sub-processor upon sub-processor, upon sub-processor, doesn't mean that there's just one. Obviously, if you've got a very simple business, don't worry. They supply this to you. If you're not transferring your data to anybody, you don't need to worry about this. But for those of us that do have more complex businesses then we really need to think about that contractual chain, and how that data is secured all the way through that chain in the light of the obligations in GDPR, and the associated liability.
A video that I think is important is not going to be relevant to everybody, but if you are a processor of any type then it's really important to consider all of that when you are working with sub-processors. If you haven't already and I hope that you are now ... I know the ICA said that the 25th of May isn't a deadline, but we may as well work towards that in our efforts to be compliant. I hope that those of you who are the processors you have at least started that data inventory, looked at what is your own personal data that you're the controller of, but what personal data are you processing as a processor. And then looking at the chain downwards from you, and looking at that flow of contractual obligation and liability.
That is all. Do go and check out the new processor agreement. For those of you who are processors, I'm going to do another ... In fact; I said I was going to do another version from the processor’s point of view. What I've done is the new processor agreement that I've just put up on the membership site. It has highlighted that you can take out the mandatory according to GDPR. If you are a processor and you look through those and you think, "Oh, okay, that's not my favorite and it's not mandatory," then you can choose to remove that clause. That's what I've done for you guys. What else do I need to say about processors? No, I think that is it. Any questions let me know, but otherwise, I want you to do that for your processors.
I know 90% of the questions within the group are about marketing, and I say the same things over and over again. I know how important it is to you to get this right, and I know how much conflict and information there is out there. That's why I'm going to be doing a one and half hour webinar. I think this Thursday lunchtime, and I'll post details about that soon, so we can get all of that on that on the table and cleared up to the best that we can be bearing in mind that there isn't guidance on every single thing. There are quite a few gray areas, but we'll do our best. That's if for now. I'll see you soon.