Compliance costs CEOs should be considering
A few weeks ago I wrote an article suggesting that the filing of Registration Particulars required by section 16(2) of the Data Protection Act(DPA)coupled with the section 17 requirement of the Information Commissioner to maintain this information in a public register, may have a crippling effect on a company or firm’s drive to innovate and offer increased customer value. Conversely, we see where making available Data Protection Impact Assessments(DPIA) filed with the Commissioner, to specified entities may reduce the cost of contracting third parties. The chink in this rationale however is that data processors are not subject to the Data Protection Act and as such are not required to file DPIA’s with the Information Commissioner.
This article looks at the responsibilities of data controllers to conduct due diligence on data processors and the associated transaction costs, the requirement of data controllers to conduct and file Data Protection Impact Assessments and the benefits of having data processors file DPIA’s and having it made available to data controllers.
Section 30(4) of the DPA dictates that a data controller can only work with a data processor that provides sufficient guarantees in respect of the technical and organizational security measures governing the processing to be carried out; and (b) take reasonable steps to ensure compliance with those measures. This places a heavy financial burden on the data controller to ensure some form of audit is conducted on the data processor in order to demonstrate they took reasonable steps to ensure compliance by the data processor. Conducting audit whether done inhouse or outsourced involves time and money increasing in the cost of engaging the services of third parties.
At the heart of this requirement is the obligation of the data controller to ensure that the personal data of their customers are protected even when it is being processed by a third party on their behalf.
In case you are wondering if you are a data controller, more than likely you are if you have a business or organization and have employees or customers. A data processor on the other hand is any entity that processes personal data on your behalf, for example if you hire a lawyer, marketing company or a software company.
Back to the matter at hand, the law requires data controllers to take reasonable steps to ensure that sufficient technical and organizational measures are in place to protect the personal data you give to that law firm or marketing company. This means you understand how personal data is processed by either the law firm or marketing firm and understand what technical and organizational measures are in place to protect the personal data. Having completed that exercise you are then required to ensure that the law firm or marketing firm is actually complying with those measures. If you or your company has several data processors, conducting the requisite due diligence can become a time consuming and expensive exercise.
This issue came to the fore a few months ago when the Spanish Data Protection Authority handed down a fine of €4 million against Vodafone, a European telco, for violating article 28 of the GDPR, as they had not required verification of compliance by the data processors by conducting audits or inspections. Similar to our law under the GDPR data controllers are required to ensure that their data processors provide sufficient guarantees to implement appropriate technical and organizational measures to meet the requirements of the Regulation and ensure the protection of the rights of the data subjects.
The investigation by the Authority revealed that Vodafone did not have the means, technically or logistically, to verify the legality of the data it was processing, this was because they had outsourced so much of their operations to third parties. The Authority found that there was a lack of real, continuous, permanent and audited control of the processing operations carried out by the processors who Vodafone relied upon to carry out parts of their commercial activities.
In discussing this case and its implications with an international panel of Data Privacy experts, on our weekly Data Privacy clubhouse forum, one of the major concerns emanating from the discussion was the cost of conducting due diligence where a data controller has several service providers. It was concluded that to be compliant a data controller would have to have in place a robust supplier management programme.
It is our view that the costs and time associated with implementing and maintaining a robust supplier management programme can be significantly reduced if data processors were required to file DPIAs and these DPIAs could then be reviewed by data controllers. Section 45 of our DPA requires that each calendar year data controllers submit to the Commissioner a DPIA in respect of all personal data in their custody. Included in the DPIA should be:
(a) a detailed description of the envisaged processing of the personal data and the purposes of the processing, specifying, where applicable, the legitimate interest pursued by the data controller;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
© an assessment of the risks to the rights and freedoms, of data subjects,and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Act, taking into account the rights and legitimate interests of data subjects and other persons concerned.
If data processors were to file this information with the Commissioner’s office every year at least three quarters of the due diligence work of the data controller would be completed. The data controller would now only need to satisfy himself that the data processor has implemented the measures envisaged.
The challenge is that data processors are not subject to the DPA. One may argue that it would be a prohibitive burden placed upon data processors to require them to file an annual DPIA. It is our position that it would be more expensive for them not to. As soon as the DPA is in full effect, data processors would be required to basically prepare DPIAs for data controllers who wish to retain their services and undergo a due diligence exercise with each new business client. We suggest that instead of having to do this for each client it would be more cost effective for both parties if the data processor were to file a DPIA one time per year.
It is time business owners start acknowledging their obligations under the Data Protection Act, once they have done so they can start considering the costs implications and how best they can be mitigated. Mitigation in this instance would mean lobbying to have the legislation amended to require data processors to file DPIAs. While lobbying to have the legislation amended CEO’s may also want to lobby to amend the requirement of the Information Commissioner to maintain registration particulars of data controllers in a public register.
Chukwuemeka Cameron LLB LLM is a privacy practitioner and the founder of Design Privacy a company that helps you comply with local and international privacy laws. Feedback can be sent to ccameron@designprivacy.io. For information on how ready you are for the DPA check out our website at www.designprivacy.io