Companies increasingly rely on third-party vendors to meet their operational needs. Yet, managing the data risks in an outsourced world has become a major challenge for security, compliance, procurement legal and executive management.
The EU General Data Protection Regulation requires management of data privacy risk throughout the vendor relationship, from vendor selection through to contract termination, and because the GDPR holds companies and their vendors (controllers and processors) jointly liable, it is critical to analyze vendor data transfers and contractual obligations with the same level of diligence as internal processing activities.
This article will compare vendor management requirements under the GDPR to those under the Health Insurance Portability and Accountability Act in an effort to draw attention to their similarities and how lessons learned from previous experiences can be leveraged to address new challenges.
Under Article 28, controllers need to choose processors who can provide sufficient guarantees of appropriate technical and organizational measures. So, the burden then is on the controller to put processors through a vetting process. Of course, this is not groundbreaking news, and most likely your organization is doing this already.
Where things start to get interesting, though, is in the requirement that processors cannot engage another processor (i.e., a sub-processor) without first obtaining prior specific or general written authorization of the controller. Further, even with general written authorization of the controller (e.g., when included in a processing agreement), the processor needs to notify the controller if they intend to engage a new sub-processor or change sub-processors and give the controller the opportunity to object to the change. Additionally, the processor must pass the “same data protection obligations” that they have with the controller down to the sub-processor. Processing must also be governed by a contract, with specific requirements found in Article 28 for what must be included in that contract (discussed in detail below).
Finally, processors may not process personal data except on instructions from the controller. If they process the data beyond that, they’ll be treated as a controller at that point and will be responsible for meeting controller obligations and liabilities under the GDPR (not to mention in addition to violating their processing agreement).
Now, if you have spent any time in the health care sector, many of these requirements are not new to you. The Health Insurance Portability and Accountability Act has its own term for vendors, which are known as “business associates.” Business associates are persons or entities that perform certain functions or activities involving the use or disclosure of protected health information on behalf of, or provision of services to, a covered entity (i.e., health plans, health care clearing houses, and health care providers who transmit health information in electronic form in connection with certain transactions). The HIPAA Privacy Rule allows covered entities to disclose PHI to business associates if they execute a written agreement that stipulates that the business associate will use the information only for specific purposes, will safeguard the PHI, and will help the covered entity comply with its duties HIPAA. Moreover, the written business associate agreement between the covered entity and business associate is required to include some specific elements as well (discussed in detail below). Of course, this should all sound familiar because we discussed essentially the same thing above in the context of the GDPR.
Similar to current efforts by data controllers to get in compliance with Article 28 of the GDPR, under HIPAA, covered entities who already had written agreement with their business associates prior to October 2002 were permitted a one-year grace period to bring those agreements within compliance with HIPAA. Also, HIPAA allows “flexibility of approach” to vendor management — i.e., it utilizes a risk-based approach similar to that of the GDPR, which requires the implementation of "appropriate technical and organisational measures." Under HIPAA, “[c]overed entities and business associates may use any security measures that allow the covered entity or business associate to reasonably and appropriately implement” its standards and specifications.
In the following table, find provided a side-by-side listing of both GDPR and HIPAA requirements for processing agreements and business associate agreements, respectively, and have tried to group similar requirements together.
With approximately two months left to go until the GDPR comes into effect, many are reporting that they still have much left to do. With a global and comprehensive regulation like this one, it can be easy to get caught up in all the “new” requirements, and we sometimes forget about the work we have already done as privacy professionals. Remember, in some ways (like vendor management), we have seen this movie before.
If you want to comment on this post, you need to login.