Click here to print page

Compliance costs CEOs should

Chukwuemeka
Cameron

Wednesday, April 21, 2021

A few weeks ago I wrote an article suggesting that the filing of registration particulars required by section 16(2) of the Data Protection Act (DPA), coupled with the section 17 requirement of the information commissioner to maintain this information in a public register, may have a crippling effect on a company or firm's drive to innovate and offer increased customer value. Conversely, we see where making available data protection impact assessments (DPIA) filed with the commissioner to specified entities may reduce the cost of contracting third parties. The chink in this rationale, however, is that data processors are not subject to the DPA, and as such are not required to file DPIAs with the information commissioner.

Section 30(4) of the DPA dictates that a data controller can only work with a data processor that provides sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and takes reasonable steps to ensure compliance with those measures. This places a heavy financial burden on the data controller to ensure some form of audit is conducted on the data processor in order to demonstrate they took reasonable steps to ensure compliance by the data processor. Conducting audits, whether done in-house or outsourced, involve time and money, increasing the cost of engaging the services of third parties.

At the heart of this requirement is the obligation of the data controller to ensure that the personal data of their customers are protected, even when it is being processed by a third party on their behalf.

In case you are wondering if you are a data controller, more than likely you are if you have a business or organisation and have employees or customers. A data processor, on the other hand, is any entity that processes personal data on your behalf; for example, if you hire a lawyer, marketing company, or software company.

Back to the matter at hand, the law requires data controllers to take reasonable steps to ensure that sufficient technical and organisational measures are in place to protect the personal data you give to that law firm or marketing company. This means you understand how personal data is processed by either the law firm or marketing firm and understand what technical and organisational measures are in place to protect the personal data. Having completed that exercise, you are then required to ensure that the law firm or marketing firm is actually complying with those measures. If you or your company has several data processors, conducting the requisite due diligence can become a time-consuming and expensive exercise.

This issue came to the fore a few months ago when the Spanish Data Protection Authority handed down a fine of €4 million against Vodafone, European telecoms firm, for violating article 28 of the General Data Protection Regulation (GDPR), as they had not required verification of compliance by the data processors by conducting audits or inspections.

Similar to our law, under the GDPR data controllers are required to ensure that their data processors provide sufficient guarantees to implement appropriate technical and organisational measures to meet the requirements of the regulation and ensure the protection of the rights of the data subjects.

The investigation by the authority revealed that Vodafone did not have the means, technically or logistically, to verify the legality of the data it was processing. This was because it had outsourced so much of its operations to third parties. The authority found that there was a lack of real, continuous, permanent, and audited control of the processing operations carried out by the processors who Vodafone relied upon to carry out parts of their commercial activities.

In discussing this case and its implications with an international panel of data privacy experts on our weekly data privacy clubhouse forum, one of the major concerns emanating from the discussion was the cost of conducting due diligence where a data controller has several service providers. It was concluded that to be compliant a data controller would have to have in place a robust supplier management programme.

It is our view that the costs and time associated with implementing and maintaining a robust supplier management programme can be significantly reduced if data processors were required to file DPIAs and these DPIAs could then be reviewed by data controllers. Section 45 of our DPA requires that each calendar year data controllers submit to the commissioner a DPIA in respect of all personal data in their custody. Included in the DPIA should be:

(i) a detailed description of the envisaged processing of the personal data and the purposes of the processing, specifying, where applicable, the legitimate interest pursued by the data controller;

(ii) an assessment of the necessity and proportionality of the processing operations in relation to the purposes;

(iii) an assessment of the risks to the rights and freedoms of data subjects; and

(iv) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Act, taking into account the rights and legitimate interests of data subjects and other persons concerned.

If data processors were to file this information with the commissioner's office every year at least three-quarters of the due diligence work of the data controller would be completed. The data controller would now only need to satisfy himself that the data processor has implemented the measures envisaged.

The challenge is that data processors are not subject to the DPA. One may argue that it would be a prohibitive burden placed upon data processors to require them to file an annual DPIA. It is our position that it would be more expensive for them not to. As soon as the DPA is in full effect, data processors would be required to basically prepare DPIAs for data controllers who wish to retain their services and undergo a due diligence exercise with each new business client. We suggest that, instead of having to do this for each client, it would be more cost-effective for both parties if the data processor were to file a DPIA one time per year.

It is time business owners start acknowledging their obligations under the Data Protection Act. Once they have done so they can start considering the costs implications and how best they can be mitigated. Mitigation in this instance would mean lobbying to have the legislation amended to require data processors to file DPIAs. While lobbying to have the legislation amended, CEOs may also want to lobby to amend the requirement of the information commissioner to maintain registration particulars of data controllers in a public register.

 

Chukwuemeka Cameron, LLM, is an attorney, trained data protection officer, privacy practitioner, podcaster, and founder of Design Privacy, a consulting firm that helps you comply with privacy laws and build trust with your customers. Send comments to the Observer or ccameron@designprivacy.io.