Privacy is celebrated globally each year on January 28th to commemorate the signing of the first legally binding international treaty dealing with privacy and data protection. This year, companies across the globe are participating in a full week-long initiative to drive a campaign for Data Privacy Week that respects privacy, safeguards data, and enables trust. Data Privacy Week encourages businesses to respect data and be more transparent about how they collect and use customer data.
Looking back at 2021, there have been significant shifts in privacy rules, obligations, and regulatory expectations for data protection. New regulations and enforcement have triggered a stronger focus on data governance, contractual compliance, cybersecurity and maturing of processes to assess third party risk. GDPR compliance continued to top “to-do” lists for privacy and security professionals. Adopting the modernized “Standard Contractual Clauses – or SCCs” between outsourcers/controllers and vendors/processors brings together the disciplines of due diligence, contractual compliance, and third party risk management. The International Association of Privacy Professionals (IAPP) and EY-Law released their most recent Governance Report which profiled the changes seen in the past year related to data privacy, data protection, and how the industry is responding to a changing digital and regulatory landscape.
Data Governance by the Numbers
- Nearly 6 in 10 privacy pros said that complying with cross-border data transfer laws is their most difficult task
- More than 7 in 10 firms transfer data from the EU to a third country
- SCCs are used by nearly all (94%) of the firms to authorize transfers since the invalidation of Privacy Shield
- The vast majority of firms (87%) use vendors to process personal data
- 2 in 4 organizations use the NIST Privacy Framework or ISO 27701 as benchmarks for assurance to privacy obligations
- 90% of respondents rely on assurances in the vendor contract and 67% require completion of questionnaires or assessments from vendors
Why Standard Contractual Clauses are Important
SCCs are designed to address transfers of personal data to third countries between data exporters and data importers. SCCs provide a set of contract provisions between controllers and processors based on Article 28 of GDPR. Contractual obligations between parties are configured using Contract Templates based on the business model context. The obligations set out in the contract terms are based on the business model between parties and focus on the definition and oversight of data processing.
- Establishes a warranty of data protection safeguards by the vendor providing services
- Requires both organizational level due diligence; but legal jurisdiction assessments based on the nature of the services that are outsourced
- Requires due diligence evidence and proof of controls triggering the need for enhanced recordkeeping of vendor assessments
- Enables termination of agreement for vendor non-compliance
- Establish mandatory sub-contractor or sub-processing obligations
- Data protection and data governance obligations specific to each product or service are summarized in SCCs contract Annexes
Contracts with new vendors are required to use the SCCs as of Q3, 2021 to address GDPR compliance and contracts with existing vendors need to be updated by the end of 2022. Modified versions of SCCs are in review for use by UK organizations are pending based on the exit of the UK from the EU. For third party risk professionals this work effort is not just a “contract” exercise but requires and update to due diligence processes and potentially even changes to an organization’s vendor risk ratings or vendor classification hierarchy.
SCCs define a multi-dimensional set of contractual relationships. The SCCs were designed to address the complexity of today’s technology landscape and set out obligations between subcontractors, sub-processors, or what risk professionals describe as the “Fourth-Nth Party” ecosystem. SCCs require updates to contracts to include specific information in the contract appendices or “annex” to the contract. These appendices describe the nature of the business relationship, the personal data context, and the types of controls in place for data protection and data governance.
Contract Annex Examples:
I. Type of Data for each Business Model
For each contract between parties, the first Annex requires the collection and identification of the personal data context in the contract between the outsourcer/controller and the vendor/processor. Examples of the type of information to be gathered, documented and maintained for each type of contract: data subject, frequency of transfer, nature and purpose of processing, category of personal data, retention periods, transfers to sub-processors.
II. Data Protection Safeguards
The second Annex describes a summary of the data protection safeguards in place for the delivery of the services. The contract template provides illustrative examples of the types of technical and organizational security controls that should be documented or summarized. Examples of the type of information to be gathered, documented and maintained for each type of contract: Encryption, pseudonymization, user identification, data transmission protections, data quality, data portability, data recovery, data destruction, events logging, system configuration, IT and Security governance, certification/assurance of controls.
III. Authorized list of Third and Fourth Parties
The third Annex describes a summary of the authorized set of subcontractors/sub-processors in place for the delivery of the services. The list requires the identification of all downstream vendors involved in the delivery of the services.
Leveraging the Data Governance Tools
In response to these data governance challenges faced by industry sectors and members of the third party risk management community, Shared Assessments updated its’ core data governance tools for managing privacy risk in third party relationships. The Data Governance Tools provide a set of tools that can be used to address specific data protection obligations in third party risk. Tools include a scoped Privacy SIG Questionnaire mapped to privacy frameworks, a standardized test procedure to validate a third party’s controls, and the Target Data Tracker (TDT).
The TDT was updated to align to the needs of organizations that are adopting SCCs or who need a standalone privacy assessment tool to address data protection impact assessments. The TDT Tool includes content to address all three of the contract annexes used in SCCs. The tool enables the identification of the data subject, data element categories, and type of personal data by regulatory jurisdiction. The TDT enables a summary or “record of processing” that describes the purpose and nature of the processing, along with the type of outsourcing contract, type of SCCs, and an updated Data Protection Safeguards section to summarize the key controls in place.
Given the pace and complexity of data protection regulations, Shared Assessments provides Data Governance Tools as a free industry resource available for download to help organizations navigate and address data governance in third party relationships.
This article was originally published by Shared Assessments and is shared with their kind permission
About the Author
Linnea Solem is a Management Consulting Executive and retired Chief Privacy Officer with cross-functional background with 30+ years of experience working in regulated industries. Solem has significant industry knowledge and experience working with internal and external organizations on governance, privacy, security, and compliance.