|Guest blog by:
Paul Dawson-Hart, Member360
In less than a year it will be the responsibility of Membership Organisations to ensure personal data is secured in accordance with the GDPR regulation and that any 3rd party processors are vetted to ensure the same.
But what does this mean? What is a processor and how might a membership organisation go about doing this?
Processors are bodies contracted by the controller (that’s you) to perform some function on personal data such as cleansing, analysis or communication fulfilment. Exactly the type of high risk activities we see popping up with ever growing frequency on the ICO hit-list of monetary fines. See the latest guilty list shamed here
As with much of the regulation a lot is still being ironed but ISO/IEC 27001 is a good starting point for your processor. The assurance is widely recognised as proof that the 3rd party protects information assets, and it is a requirement in a growing number of contracts that involve valuable information.
But it’s a very simple baseline and open to self-regulation and differing levels of compliance across the UK.
GDPR mandates that contracts between controllers and processors have a number of specific requirements, which are listed in article 28, and the specific terms used in these contracts will shortly be clarified by the ICO. As soon as this arrives it will be shared via this blog although latest news suggests it won’t differ significantly from the current directive.
However, reading GDPR in isolation might give the impression that the security of the processing of personal data by data processors could be managed via contract alone. Many Membership organisations are heavily dependent on contracts rather than what’s now also essential – a resource intense & robust ongoing due diligence process.
A quick glance at existing guidance from the ICO describes our current commitments:
- we must choose a data processor that provides sufficient guarantees about its security measures to protect the processing it will do;
- we must take reasonable steps to check that those security measures are being put into practice; and
- there must be a written contract setting out what the data processor is allowed to do with the members personal data
Is your organisation actually doing this right now?
Perhaps you may already retain the right to exercise this via the inclusion of a ‘right of audit’ in your data processing clauses?
When was the last time you conducted an audit?
Have you tested their systems by sending something down the line that should be picked up by the processors QA systems?
What will you do if you find several years into a contractual relationship that these measures are not, and have never been in practice?
There is only one viable approach to gauge a suppliers’ security and data protection practices, and that is by robust due diligence prior to engagement and at regular intervals thereafter.
You need to conduct a data privacy impact assessment which will determine your need for a light information security questionnaire through to a regular, perhaps even unscheduled on-site visit and security walkthroughs. It is only by ‘front ending’ this process that you can gather comfort and assurance that a data processor has the ability to protect your members data
Outcomes should include:
- Satisfaction that the processor can adequately protect your data and is GDPR ready i.e. progressing to contract review;
- Has, or is developing systems that allow for real-time revocation of consent i.e. if your member can restrict processing in your members privacy area there needs to be dynamic integration to ensure it is reflected down the pipeline via APIs to your processor and any communications/processing.
- Identification of risks, developing a mitigation strategy, and stipulating additional GDPR controls within the contract.
- A mechanism for determining that the risks are not acceptable and that the engagement cannot continue.
- If being conducted as part of a tender process, ensure data security and data protection scores are considered with equal or even more importance than functionality and price.
And remember your risk will now extend to your processors and their sub processors – your scrutiny is needed here as well.
For more information and guidance on GDPR as it relates to the membership sector feel free to contact me on Paul@member360.co.uk or via the MemberWise Community forum.