The 4 Compliance Strategies of Data Processors
Organizations rely on a number of different Data Processors for things like record storage, secure shredding, computer recycling, and a long list of other services that require sharing access to regulated personal information.
And, though it doesn’t replace the requisite vendor selection due diligence evaluation, assessing their compliance acumen can help determine the service provider’s overall suitability prior to contracting and also help a client determine if a current provider should be required to upgrade.
1. DATA PROCESSORS WITH LITTLE OR NO COMPLIANCE STRATEGY (HIGH-RISK/NEGLIGENT)
These service providers are clueless about their regulatory standing and obligations as Data Processors. When asked if they are aware of their regulatory standing, they either respond that they have no idea or argue that they have none. Obviously, being oblivious, there is no way they are compliant, and the only reasonable options for their clients are intense remediation or moving on.
Where there is a current service contract in place with such a Data Processor, and they resist attempts to improve their compliance posture, that resistance should be sufficient legal justification to terminate the contract.
2. DATA PROCESSORS THAT SUPERFICIALLY FAIN REGULATORY COMPLIANCE (HIGH-RISK/DECEPTIVE)
These Data Processors have some concept of their regulatory standing but short-cut the required precautions by using misleading or meaningless claims to falsely appear as if they are compliant. Though it is often difficult to tell when buzzwords, association memberships, and misleading qualifications are being used as whitewash, obtaining and reviewing their written operational security and compliance procedures is likely to expose them for what they are. No compliant service provider should object to sharing those procedures with clients since 1) regulations require Data Processors to have such a document, and 2) the document should be included as an exhibit to the required Data Processor contract.
Balking at the suggestion of sharing operational compliance procedures with clients is a serious red flag.
Once it is determined a Data Processor is in this category, again, the only reasonable options for clients are intense remediation or moving on.
By now, readers may be wondering how Data Processors in the first two categories stay in business. The answer, unfortunately, is that there are still clients who are unaware of the regulatory obligations and, therefore, don’t apply the requisite scrutiny. If all clients understood their requirements, these Data Processors would either change their ways or go out of business in short order.
3. DATA PROCESSORS THAT ARE AWARE OF THEIR REGULATORY STANDING AND CLEARLY DEMONSTRATE THEIR COMPLIANCE (SAFE/DEFENSIBLE)
The most common strategy for determining if a Data Processor meets this threshold is to verify that they hold a legitimate, audited, third-party certification. The caveat is, however, that if using a certification as an element of selection due diligence, it’s important to validate that the certification verifies the necessary criteria, that the certification body and the audit are legitimate, and that the certifying body provides a way to monitor the Data Processor’s certification status in real time.
Even with a certification in place, it is critical that clients obtain the Data Processor’s operational security and compliance procedures and talk with (i.e., grill) the individual assigned to be responsible for the Data Processor’s compliance.
Provided there is a Data Processor contract in place, linked to a copy of their operational procedures, and requiring the Data Processor’s certification (if available), using such a Data Processor is likely to be deemed acceptable in courts and by regulators.
4. DATA PROCESSORS WITH A SUPERIOR REGULATORY ACUMEN AND AN AUTHORITATIVE CAPABILITY TO SERVE AS A COMPLIANCE RESOURCE (PREFERRED/COMPLIANCE PARTNERS)
Data protection regulatory requirements are continually changing. Within the last 3 years alone, 19 US states have enacted new laws that impact the Data Processor as well as the client. The only way to be truly compliant is by contracting a Data Processor with the internal capability and acumen to monitor, understand, and respond to these changes.
Clients that are lucky enough to have such an option, are often surprised to discover that most of these “compliance partner” Data Processors are competitively priced, often representing little or no price difference from unacceptable or less attractive options.
Where there is an option to join forces with a Data Processor with this capability and mindset, clients should seize the opportunity. And, where a current Data Processor falls short, clients should encourage them to upgrade.
It is unreasonable to expect that every business would be an authority on their ever-changing data protection and privacy requirements, and it is equally unreasonable to expect that any service provider whose business is based on handling regulated personal data would not be.
Related:
What Business Services are Data Processors, and Why Does It Matter?
© 2024 Privata Vox, LLC - All Rights Reserved
About Author
Bob Johnson, CSDS, CIPP/US, CIPP/E, is the Principal Advocate at Privata Vox, LLC. Read more about his long career in privacy and data protection policy development.
Scan OR Click QR Code below to automatically add to contacts