(Updated with information on VCDPA on 19th March, 2021)
For a long time experts have warned about supply chain and supplier risk. Vendor and 3rd party management practices, which previously were seen as elements of a mature security governance program, have become standard elements of new data protection law. But are organizations actually aware of the newly introduced requirements? We summarize the relevant regulations and requirements to look out for.
The four regulations we are going to look at, all contain the concept of a written agreement with the suppliers you share personal data with. But the actual terms to name the parties and the agreement are different.
The most widely known terms relating to data protection - which we are going to use in this article - come from GDPR. Here, data controllers share personal data with data processors. This exchange of personal data needs to be governed by a contract, referred to as a data processing agreement or addendum (DPA). Additionally to the DPA, GDPR talks about technical and organizational measures (TOMs) which are either incorporated into the DPA or can form a separate document.
CCPA defines service providers to be entities that process personal information on behalf of a business for a specific business purpose. The sharing of personal information needs to happen pursuant to a written contract. Usually, this contract is similarly referred to as a DPA, but sometimes it is part of the service agreement or a service provider addendum.
A processor, according to the VCDPA, is a natural or legal entity processing personal data on behalf of a controller. The data processing of the processor shall be governed by a binding contract that contains clear instructions on the processing done on behalf of the controller.
Singapore enacted a comprehensive data protection law back in 2012 and has currently updated it. The PDPA uses the term data intermediary for cases where an organisation involves another organisation into the processing of personal data. Data intermediaries are exempt from some of the requirements of the PDPA in case their processing is pursuant to a contract. An additional guideline, the Guide on Data Protection Clauses for Agreements relating to the Processing of Personal Data (2016), contains Sample Data Protection Clauses (SDPC) to be included in the Service Agreement.
While phrased differently by the individual laws we are analyzing here, the core requirements are very similar. They can hence be met by applying one generalized process across jurisdictions. Additionally to the core requirements called out in the law, there are guidance documents and best practices which will also determine how to shape your vendor management.
Number one requirement of any data protection law is to guarantee that anyone receiving personal data under that law understands and follows it. While the specific responsibilities of a supplier might be lighter under the law, they still need to abide to a number of requirements and this needs to be called out in their DPA.
Data processors are required to keep the received personal data confidential and only process it as needed or as it relates to providing the services of the agreement and as put in writing in the DPA. Sometimes, documented instructions are interpreted as the whole of functionality available through the supplier's configuration interface and which the user has set up. Only exception to this requirement are data processing activities that are required to meet the supplier's own legal obligations.
New data protection regulations have increased the security requirements surrounding personal data. This includes requirements for technical protection, like circumstances where encryption is needed, as well as organizational measures, such as regular testing and incident response. While the CCPA does not specifically call out these requirements for suppliers, it does say that data processors become liable in case they don't follow instructions of the agreement, and hence the CCPA motivates businesses to introduce such requirements. Additionally, security breach requirements remain in force in California and also the new California Privacy Rights Act (CPRA Section 4) will introduce security clause requirements into the DPAs.
As a natural consequence of only being allowed to use personal data according to the instructions of the agreement, personal data needs to be deleted or returned at the end of the service period. As return of the data might result in a heavy process, most agreements already include the choice of deletion, but providing access and export capabilities during the service period are more and more looked for.
As we've seen, suppliers need to adhere very strictly to the instructions set out in their DPAs to avoid being exposed to stricter data protection compliance requirements. This often includes the requirement for a supplier to disclose its own supply-chain list, and restrict any changes to this list without the acknowledgement of the data controller, i.e. the customer (GDPR Art.28(2), CPRA 1798.140(ag)(2)). It is also the supplier's obligation to ensure that all members of the supply-chain follow the same rules as set out between the supplier and its customer (GDPR Art.28(4),VCDPA 59.1-575.(B)(5), PDPA SDPC 2.4.2).
As including a new supplier in the supply-chain can be considered a change to the service, the DPA should contain clear instructions how such changes are communicated to customers, what action is expected from them (slient acknowledgment with possibility to object, active acknowledgement, consent, etc) and what obligations the supplier has in case a customer does not approve of the change. Now, as these requirements propagate down the supply-chain, we are starting to enter the area of 4th party management.
No matter whether you are a data controller or a data processor, above requirements mean that you'll have to maintain a number of DPAs. Preferably, these DPAs set out the same requirements across your business relations, but often you'll just have to accept the terms that are given to you. PASERO provides you three essential tools that help you stay on top of these DPAs: