Organisations that outsource their data processing operations need to ensure that the contractors they use are reliable, and take appropriate steps to keep the information secure. Cybersecurity failures can lead to serious reputational damage, being held to ransom by criminal hackers and sanctions by regulators, particularly where that information includes personal data.
Outsourced processing is normally governed by detailed contractual arrangements dealing with how the data will be stored and used. And, from May 2018, the General Data Protection Regulation, or GDPR, will require tougher and more detailed obligations in contracts.
New requirements for outsourced processing
The new requirements include compulsory details about:
- the subject matter and duration of processing;
- the nature and purposed of processing;
- the types of personal data and categories of data subject; and
- the obligations and rights of the controller.
The contract must also include terms requiring the data processor to:
- act only on the written instructions of the controller (unless required by law to act without such instructions);
- ensure that people processing the data are subject to a duty of confidence;
- take appropriate measures to ensure the security of processing;
- only engage a sub-processor with the prior consent of the data controller and a written contract;
- assist the data controller in providing subject access and allowing data subjects to exercise their rights under the GDPR;
- assist the data controller in meeting its GDPR obligations in relation to the security of processing the notification of personal data breaches and data protection impact assessments;
- delete or return all personal data to the controller as requested at the end of the contract; and
- submit to audits and inspections provide the controller with whatever information it needs to ensure that they are both meeting their obligations and tell the controller immediately if it is asked to do something infringing data protection law.
Impact on public sector contracts
The requirements of the GDPR affect almost all organisations that process personal data in the EEA or about European citizens with the public sector in the frame alongside businesses. So most public sector outsourcing will have to meet the new requirements.
The UK Crown Commercial Service has issued a Procurement Policy Note PPN 03/17 that explains the new rules and sets out the contractual changes that will be needed for processing personal data in the future. The new requirements will apply to all processing relationships from May 2018 and so as well as affecting new arrangements existing relationships may need to be updated.
Businesses that are currently supplying data processing services to Central Government and other public sector bodies should expect to be contacted with a view to bringing existing agreements up to date and ensuring that technical and organisational capabilities will measure up. Equally those planning to bid for new contracts should expect to see the new obligations in future contracts.
The GDPR also imposes new obligations on processors. These include obligations to keep records of processing and in many cases employ a data protection officer. The PPN notes that public bodies should not accept liability for fines directly imposed on their processors under the GDPR.