Unfortunately, there are no ready-made risk assessments that every company can refer to to ensure that the new requirements are met. Each company must therefore document that it has assessed the risks of the supplier’s information security and data processing agreement in addition to the additional requirements that the transfer of personal data to “third countries” (countries outside the ‘EEA) implies.
Fear of big fines
Businesses fear breaches of privacy laws and the notorious fines that can come with them. Amazon Finn was recently fined the equivalent of NOK 7.8 billion. The concern is therefore highly rational and understandable, given the regular decisions on fines.
There are clear issues related to companies’ desire to have access to certain types of technologies and services, and the desire to comply with regulations at the same time (being “GDPR compliant”).
We’ve put together some tips that can make it easier to assess whether a provider can be used in a GDPR-compliant way.
In general, it is recommended to create an overview for each individual provider that documents the assessments and investigations that have been carried out in accordance with the GDPR. Below are 7 more specific tips – a simple checklist for what you need to consider for each provider you want to share personal data with.
1. Find information on the processing of personal data by the provider – is the data security sufficient?
First, it is important to obtain information on how the provider processes personal data, and in particular in relation to the service in question. Document that the information security offered by the provider is good enough in terms of the intended processing of personal data.
Describe the intended use in terms of processing the personal data and note what type of personal data will be processed for whom. If health information and other special categories of personal information are to be processed, more stringent information security requirements are imposed. Stricter requirements are imposed on vulnerable groups such as minors and employees.
Make a note of the websites that have been read and at the same time include positive safety information, eg. two or more factor authentication, information on anonymization, pseudonymization and/or encryption. It is also beneficial to explain privacy-friendly settings, e.g. a setting that limits data storage to data centers within the EEA. Another example is that the company decides to use IP anonymization only with the Google Analytics tool to prevent personal data from being processed by Google.
2. Clarify the grounds for the processing – do the business and provider have legal grounds?
In order to be able to process personal data in accordance with the GDPR, companies must assess whether there is a legal basis for the processing that can be used.
There are six grounds: Company may process personal data based on law (work environment law, personal data law, etc.), agreement (employment contract, customer agreement, etc.), consent, vital interests (to save lives, etc.). ), exercise a public authority (municipality or State company) or have a legitimate interest (must have carried out a balance test and offer declarants the possibility of protesting).
It should also be noted what type of legal basis for the processing the provider has. If the supplier is only to process personal data on behalf of a Norwegian company as a customer, the supplier must be a processor who only processes personal data on the basis of an “agreement”. One such agreement should be the Data Processing Agreement.
If the supplier does not consider itself to be a processor, it should be checked whether the supplier agrees to be a joint controller with the customer. Foreign providers who together with the Norwegian customer determine the purpose and means of the processing of personal data, must inform the users to whom the personal data relates that they are joint controllers with the contact details of each other for any questions.
3. Consider the data processing agreement: are the content requirements met?
If a data processing agreement has been entered into or is to be entered into with the provider, this should be reviewed to ensure that it meets the content requirements of such an agreement. The Norwegian Data Protection Authority has prepared some good guides on both when an agreement should be made and what it should contain.
In particular, check whether the agreement defines a clear framework on what the subcontractor can do with the personal data and whether it contains sufficient information on the supplier’s subcontractors and IT security.
4. Investigate where the supplier with subcontractors processes the data – in which countries?
Although many providers disclose where they process personal data, it is not always clear from the information available on their services, which nevertheless involve the transfer of personal data to third countries. For example, sometimes the use of a cloud service involves a transfer/storage in a third country, or the use of the medium of a service results in a transfer.
In order to assess whether personal data is sufficiently protected, it is essential to have an overview of this, as well as what applies to the supplier’s subcontractors (subcontractors) for the service.
To access this information, it is often necessary to ask questions directly to the supplier. A good question is whether it is understood that the supplier and subcontractor only process data in EU/EEA countries.
5. Find a suitable transfer base – are the additional requirements met?
If the use of a service involves the transfer of personal data to third countries, you must identify the countries concerned. A few countries are safe and the European Commission has approved e.g. Israel and private companies in Canada. The UK can also be used for the time being.
For the United States and other uncertain third countries, a valid transfer base is required. Make sure to follow the guidelines of the Norwegian Data Protection Authority and the recommendations of the European Data Protection Board (EDPB) regarding transfers to third countries.
One solution is vendors that have been approved by Binding Trade Rules (BCR). These providers may transfer data within their group to unsafe third countries.
Another solution is for the provider to use standard confidentiality rules (SCC) for such a transfer. From June 4, 2021, the new SCCs have an entry into service deadline of September. This means that many may now need to update existing agreements.
Following the aforementioned Schrems II judgment, it is no longer enough to have a transfer base in place. Each company must also carry out investigations and a risk assessment to determine whether the level of protection is sufficient given the country in which the supplier is located.
On 18 June 2021, the EDPS updated his November 2020 Recommendation on additional measures that need to be taken to ensure adequate protection. Note the type of additional measures the supplier offers or promises, e.g. is it customary to have a “Data Processing Addendum” from the provider advising of these measures.
6. Consider the risk to data subject privacy – is a DPIA necessary?
For certain types of personal data processing, a privacy impact analysis (DPIA) is required. It must be completed before the start of treatment, and it should therefore always be investigated whether the treatment in question requires such an assessment.
So document that you have considered whether the DPIA should be performed. For instance. Will the use of an AI-enabled service that deals with a particularly vulnerable group of registrants such as employees or minors trigger the requirement to perform a DPIA.
If the DPIA performed does not conclude that the risk reduction measures will reduce the risk of high for data subjects, a meeting should be arranged with the Norwegian Data Protection Authority to assess the service more closely or to be of good side – do not use the service.
7. Get to the bottom of the issues – ask the supplier about the discrepancies
In some cases, it may be difficult to find good information on the websites or in the supplier’s contractual conditions. We recommend that you, based on the results from 1 to 6, collect the deviations, that is, what is not sufficiently documented for the customer to conclude an agreement with the supplier, and send it together to the supplier.
Most suppliers are happy to be surveyed because positive responses can mean new customers and increased profits. Supplier responses can become additional attachments to internal company documentation that shows GDPR minimum requirements have been met.
More details ?
To avoid fees such as Amazon and many others have received, we recommend that you perform risk assessments in advance that document what has been assessed and done.
The article was written by attorney Malin Rapp Færder and partner/attorney Magnus Ødegaard, Law Firm Bing Hodneland DA.