Unfortunately, there is no complete risk assessment that every company can refer to to ensure that the new requirements are met. Therefore, each company must document that they have assessed the information security of suppliers and data processor agreements in addition to the additional requirements required by the transfer of personal data to a «third country» (country outside the EEA).
Afraid of big fines
Businesses fear breaches of privacy laws and the notorious fines that may follow. Amazon Finn recently received a fine equivalent to 7.8 billion kroner. Therefore, these concerns are very rational and understandable, considering the frequent fine decisions.
There are clear challenges related to the desire for companies to have access to certain types of technology and services, and the desire to comply with regulations at the same time (becoming “GDPR compliant”).
We’ve put together a few tips that can make it easier to assess whether suppliers can be used in a GDPR-compliant manner.
In general, it is recommended to create an overview for each individual supplier documenting the assessments and surveys that have been carried out in accordance with the GDPR. Below are 7 more specific tips – a simple to-do list for what you should consider for each supplier you wish to share personal information with.
1. Find information about supplier’s personal data processing – is data security good enough?
First and foremost, it is important to obtain information about how providers process personal data, and especially in relation to the relevant services. Document that the information security offered by the supplier is reasonably good in relation to the personal data processing plan.
Explain what the purpose of use is with respect to the processing of personal data, and note what types of personal data will be processed for whom. If health information and other special categories of personal data are to be processed, more stringent requirements are set for information security. Stricter requirements are set for vulnerable groups such as minors and employees.
Write down which websites have been read, and at the same time include positive information about security, e.g. two or multi-factor authentication, information on anonymization, pseudonyms and/or encryption. It is also an advantage to explain privacy friendly settings, e.g. arrangements that restrict data storage to data centers within the EEA. Another example is that the company decided to only use IP Anonymization with Google Analytics tools to prevent personal data from being processed by Google.
2. Clarify the basis of treatment – do the company and suppliers have a legal basis?
In order to be able to process personal data in accordance with the GDPR, companies must assess whether there is a legal basis for the processing that can be used.
There are six reasons: Companies may process personal data in accordance with the law (Work Environment Act, Personal Data Act, etc.), agreements (employment contracts, customer agreements, etc.), consent, vital interests (to save lives, etc.), exercise public authority (city or state activity) or have a legitimate interest (must carry out a balance test and offer registered protest opportunities).
It should also be noted what kind of legal treatment the supplier has. If the supplier only processes personal data on behalf of a Norwegian company as a customer, the supplier must be a data processor that only processes personal data on an “agreement” basis. Such an agreement should be a data processor agreement.
If the supplier does not consider itself a data processor, it should be checked whether the supplier agrees to share responsibility for processing with the customer. Foreign suppliers who, together with Norwegian customers, decide the purpose and manner of processing personal data, must inform users to whom personal data applies that they are jointly responsible for processing each other’s contact information for possible inquiries.
3. Evaluate the data processor agreement – are the content requirements met?
If a data processor agreement has been entered into or will be signed with a supplier, this should be reviewed to ensure that the agreement meets the content requirements for the agreement. The Data Inspectorate has prepared good guidelines on when an agreement should be made and what it contains.
Specifically check whether the agreement establishes a clear framework for what data processors can do with personal data, and whether the agreement contains sufficient information about supplier subcontractors and IT security.
4. Check where suppliers with subcontractors process data – which countries?
Although many providers disclose where they process personal data, it is not always clear from the information available about their services that it still involves the transfer of personal data to a third country. For example, use of cloud services involves transfer/storage in a third country, or use of support for services results in transfers.
In order to assess whether personal data is adequately protected, it is important to have an overview of this, as well as what applies to the supplier subcontractors (data processors) for the service.
To access this information, it is often necessary to ask the supplier direct questions. A good question is whether it is correctly understood that suppliers with subcontractors only process data in countries within the EU/EEA.
5. Find a suitable transfer base – are additional requirements met?
If the use of the service involves the transfer of personal data to a third country, it is necessary to identify which country is relevant. Some countries are safe, and the European Commission has approved e.g. Israel and private business in Canada. UK can also be used until further notice.
For the United States and other insecure third countries, a valid transfer base is required. Be sure to follow the guidelines and recommendations of the Data Inspectorate of the EU Privacy Council (EDPB) regarding transfers to third countries.
One solution is suppliers who have been given a binding business rule (BCR). Such suppliers may transfer data within their group to unsecured third countries.
Another solution is for providers to use standard privacy regulations (SCC) for such transmissions. From June 4, 2021, the new SCC comes with a final deadline for use in September. This means that many people may now need to renew existing agreements.
As a result of the Schrems II decision above, there is no longer sufficient basis for transfer. Each company must also conduct a survey and risk assessment as to whether the level of protection is adequate in relation to its supply country.
On 18 June 2021, the EDPB updated its recommendations from November 2020 on further measures that should be implemented to ensure adequate protection. Write down what additional actions the supplier offers or promises, e.g. it is common with the supplier’s “Data Processing Addendum” where the action is informed.
6. Assess privacy risks for data subjects – is DPIA necessary?
For certain types of personal data processing, a privacy impact assessment (DPIA) is required. It must be completed before treatment begins, and therefore it should always be checked whether the treatment in question warrants such an assessment.
Therefore the document that has been considered whether DPIA should be carried out. As an example. the use of artificial intelligence services that treat vulnerable groups registered as employees or minors will require an obligation to perform DPIA.
If the DPIA does not conclude that risk reduction measures will reduce the risk of dropping from high to enlist, someone should have a meeting with the Data Inspectorate to further assess the service or be on the safe side – not use the service.
7. Get to the bottom of the question – ask the supplier for deviations
In certain cases, searching for good information on the website or in the terms of a supplier’s contract may be demanding. We recommend that, based on the findings from 1 – 6, the deviations are collected, i.e. what is not documented well enough for the customer to make an agreement with the supplier, and send them together to the supplier.
Most suppliers are happy to ask questions because positive answers can mean new customers and increased profits. Responses from suppliers can be an additional appendix to the company’s internal documentation showing that the minimum requirements in the GDPR have been met.
To avoid the fees that Amazon and some others have received, we recommend that you make a risk assessment first as a document of what has been assessed and done.
This article was written by assistant attorney Malin Rapp Færder and partner/lawyer Magnus degaard, Bing Hodneland DA . law firm.