Privata Vox® Blog

What Business Services are Data Processors, and Why Does It Matter?

This entry is intended to help both novice and veteran data protection professional appreciate the number and types of service providers subject to the compliance requirements of privacy regulations.


The word VENDOR is shown in red letters through a magnifying glass.As far back as the mid 1990s, regulations have reflected the fact that data-related vendors, a.k.a., data processors, are critical to data controllers’ ability to protect personal information. That’s why all such regulations now specifically address data processors’ status and relevance.

Invariably, this regulatory status mandates that when hiring data processors, data controllers are to 1) exhibit vendor selection due diligence and 2) use strong, clear contractual language binding the processor to security and compliance obligations. And, even where processors are not held directly responsible for compliance by the regulation itself, as is the case in the rash of new state regulations popping up around the US, the data controllers are required to bind their processors to regulatory compliance with a Data Processor Agreement.

The most common failing in this compliance dynamic, unfortunately, is that controllers too often don’t have a full understanding of which of their vendors actually qualify as data processors. As a result, these vendors are not subject to the required scrutiny or contractual language.

Making things worse, many such vendors are also often unaware of their regulatory status, while others openly resist being classified as such (though they clearly are).

And, so, to set the record straight, here is a list of business services that qualify as data processors:

  • Cloud Service Providers
  • Payroll Companies
  • Data Analytics Firms
  • Human Resources Services
  • Scanning, Imaging, and Digital Records Services
  • Document Storage and Destruction Services
  • IT Asset Disposal and Computer Recycling Firms
  • Payment Processors
  • Background and Drug Screening and Credit Reporting Agencies
  • IT Managed Service Providers (MSPs)
  • Medical Waste Removal Services
  • Computer & Office Equipment Leasing Firms
  • Medical Device Leasing Firms
  • Any other vendor granted access to personal information

Like it or not, no data controller can be truly compliant with data protection and privacy regulations without properly vetting and contracting these service providers.

Given the number of data processors serving the typical modern enterprise and the lack of awareness and misconceptions surrounding them, it should come as no surprise that in most cases some remediation will be necessary to shore up related compliance issues.

In so doing, the way to start is by creating a list of all vendors actively providing these services and then analyzing whether the proper vetting process and appropriate contract was used when hiring them. Most likely, shortcomings will be discovered that require retroactive steps to validate processors’ qualifications and contracts. And while it means work, and maybe a few uncomfortable conversations, it is far better to correct the situation than to allow the non-compliant controller-processor relationship to continue.

There are a few things to look out for when tackling such remediation.

The first thing controllers often do when wrangling vendors into the processor-controller dynamic is to put them on notice. That’s not the problem. The problem comes when the vendor then tries to take control of the situation. For instance, they may try to explain why they are not data processors in the first place. On the other hand, they may go in the other direction by offering to provide their standard controller-processor contract. Neither are acceptable. An organization can’t very well tell a regulator they didn’t properly vet or contract the data processor because the processor said they didn’t have to. And, as for using their contract, it’s a safe assumption that the processor has protected themselves at the controller’s expense. It’s fine to review what they provide, but never okay to accept it at face value. That should be left to a qualified professional with the controller’s interests in mind.


Related:

Contractually Defining Information Custody Transfers

 

© 2024 Privata Vox, LLC - All Rights Reserved

Subscribe to stay up to date with new blog posts, speaking appearances, and more.

Subscribe To Updates

Email(Required)