Companies increasingly rely on third-party vendors to meet their operational needs. Yet, managing data risks in an outsourced world has become a major challenge for security, compliance, procurement, legal and executive management.
Both the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA) set requirements for vendor management.
A business that appoints a third-party vendor to process personal data on its behalf is required to do so under a binding agreement in writing. GDPR calls such mandatory agreement, a Data Processing Agreement (DPA), and in HIPAA it is the Business Associate Agreement (BAA).
GDPR
The DPA terms must stipulate that the processor:
i. Only acts on the documented instructions of the controller
ii. Imposes confidentiality obligations on all employees
iii. Ensures the security of personal data that it processes
iv. Abide by the rules regarding the appointment of sub-processors
v. Implements measures to assist the controller with guaranteeing the rights of data subjects
vi. Assists the controller in obtaining approval from the DPO
vii. Either returns or destroys personal data at the end of the relationship
viii. Provides the controller all the information necessary to demonstrate compliance with the GDPR
ix. Delete or return all personal data to the controller upon request at contract termination and
x. Must make available to the controller all information necessary to
demonstrate compliance with article 28 obligations and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
The terms above must be present in Controllers X Processor contracts and Processors X Sub-processors contracts.
It is essential that the processor (or sub-processor) appointed by the business complies with the GDPR.
Therefore, before engaging in data processing relationships (whether you are a controller appointing a data processor, or a data processor appointing a sub-processor) you must carefully assess the third-party’s fitness and properness in terms
of data protection and information security.
If you are GDPR compliant, you have already performed many Data Protection Impact Assessments to date.
You may be asking, why should I perform such risk assessments?
Simply because the EU General Data Protection holds companies and their vendors (controllers and processors) jointly liable. Hence, it is critical to analyse vendor data transfers and contractual obligations with the same level of diligence as internal processing activities.
Under Article 28 of the GDPR, controllers need to choose processors who can provide sufficient guarantees of appropriate technical and organizational measures (if the personal data processed includes any type of sensitive data like health data, the measures should be enhanced). So the burden is then on the controller to put processors through a vetting process.
Of course, this is not groundbreaking news, and most likely your organization was doing this already.
The same applies to Processors (Software) processing data and engaging new sub-processors. You and the sub-processor you engage are both jointly liable. If you are a SaaS Company, what should you do before engaging new sub-processors?
That is where things are starting to get remarkably interesting.
Processors can only engage a sub-processor with the following conditions:
i. The prior approval of the Data Controller. Even with general written authorization of the controller (e.g., when included in the Processing
Agreement), the processor needs to notify the controller if they intend to engage a new sub-processor or change sub-processors and give the controller the
opportunity to object to the change.
ii. A written contract with specific requirements found in Article 28 GDPR
iii. Imposing to the sub-processor the same data protection obligations the data controller imposes to you
iv. Finally, processors (software companies) may not process personal data except on instructions from the controller.
If they process the data beyond that, they’ll be treated as a controller at that point and will be responsible for meeting controller obligations and liabilities under the GDPR (not to mention in addition to violating their processing agreement, of course).
It is recommended that clients have a sub-processor list on their website to communicate with data controllers about new sub-processors engaged with.
HIPAA
The Health Insurance Portability and Accountability Act has its own terms for vendors, which are known as “business associates”.
Business associates are persons or entities that perform certain functions or activities involving the use or disclosure of protected health information on behalf of, or provision of
services to, a covered entity (i.e., health plans, health care clearing houses, and health care providers who transmit health information in electronic form in connection with certain transactions).
HIPAA Privacy Rule allows covered entities to disclose PHI to business associates if they execute a written agreement that stipulates that the business associate will use the information only for specific purposes, will safeguard the PHI, and will help the covered entity comply with its duties HIPAA.
Moreover, the written Business Associate Agreement between the covered entity and business associate is required to include some specific elements:
i. Establishes the permitted and required uses of PHI
ii. Provides that the business associate may not use or further disclose the PHI, other than as permitted or required by the contract (or by law, of course)
iii. Require the use of appropriate safeguards to prevent unauthorised uses or disclosures of PHI
iv. Requires reporting of any unauthorized uses or disclosures to the covered entity (no later than 60 days, opposed to 72 hours in the GDPR).
v. Requires the Business associate to ensure that any subcontractor (called SubProcessor in the GDPR) that will have access to PHI agrees to the same restrictions and conditions that apply to Business Associates
vi. Requires the destruction of the PHI at the termination of the contract
vii. Requires the Business Associate to make available its internal practices, books and records relating to the use and disclosure of PHI.
Both HIPAA and the GDPR have similar rules in relation to vendor management and companies abiding by both regulations must utilize a risk-based approach, which requires the implementation of “appropriate technical and organisational measures.”
However, under GDPR you must also request prior consent and notify the data controller of new sub-processors you engage with, PHI will follow the same restrictions and conditions applied to you (this condition is also a GDPR requirement).
Risk assessment is not a one-off exercise, it must be in constant review during the duration of your contract with the sub-contractor and should be in line with your policies and procedures.