Hello and welcome back. It's Ralphie Brian here, and we're just continuing our Module 5 looking at different assessments that we can perform, and this time we're going to look at second parties or our vendors if you like, our vendor assessments. This really is examining relationships. These days I find no person is an island. No person is an island as they say, and therefore, we've got to not only control our own compliance, but also that of our processes, also that of our third parties. I'm going to go back to GDPR here, and you can see here that a number of these things are now almost jointly the responsibility of the controller and the processor, or indeed controllers controller if we're giving information to other parties. It becomes incumbent upon us then as an organization to wherever we've sending data to, whether it be to another controller, whether it be to a processor, in a second party in that contract, to make sure that we understand what these individuals are going to do with it, where they're going to send it. Because often we are then responsible for telling the individual at the frontend, we have to be transparent with the individual, so we have to understand that data's ultimate destination where it ultimately ends up who else might gain access to it? Who else might see that data. That means that we have to keep a very strict control about who we're going to send that data to. You can then think about this in terms of making sure they comply with the obligations. Making sure they comply with laws and regulations across the globe. Making sure they have got the appropriate security and making sure they comply with their obligations as well. I kind of think about this as four steps to this process. There's due diligence, and by that I mean, before you enter into a contract with an individual company, a second party, who are they? Do I want to be getting into bed with these individuals? If I do, then we move to the contract stage. We want to understand and have a contract in place. Often I find that's as far as organizations go, they get as far as looking at the contracts, they got the lawyers involved, they then get the other party to commit to do a certain things. What I find organizations are less good at doing, is actually then checking that they are doing it. Actually managing that relationship. Once we get past the contracts, what difference has the contract made? How has it ultimately made things better for the individuals? What does that second party to the contract do with the data and are they complying with their contractual obligations? A lot harder to manage. Then what people almost very rarely do, is on contract termination, is when the going into the contracts decide what's going to happen upon termination, who gets the data, what does it go? Now let's examine each of them in turn. Due diligence first of all. When we're going into a new contract with a new second party. We're going to have the load of like a pre-contract question, we're going to be checking them out, understanding exactly who they are and what they do. Do they have the appropriate security in place? We want to security questionnaire or a privacy questionnaire to send them. What's their knowledge of Data Protection? Do they have any breaches that we're aware of or are they under any investigation by a regulator. What can they give us in terms of assurance, creditation, certification, policy framework. I think what's more important is who else do they give the data to? Do they have any sub-processes or where are they going to keep the data? Is it going to travel internationally? Do they have support contracts in Brazil or cloud providers in the US or Chinese investors who will want to look at the data? Due diligence is becomes very important. Due diligence is kind of one of the areas where we then get down and decide exactly who we want to get into bed with. Wolves are in bed with them. If we then have to think about contracts. Again, going back to my GDPR knowledge here, section 28 of the GDPR or article 28 of the GDPR is really good, actually saying what sort of things you might need. Sometimes these are actually addendum to contracts. Data processing addendum is something that is regularly done, or a schedule, is also in addition to the contract. The one thing I'd never suggest you do is to say in the contract, you must comply with data protection laws globally, or you must put it appropriate technical and organizational measures because nothing is nothing. I think if you're got to control your subcontractors, you've got to very much dictate to them what it is and isn't you expect, and that's really hard. International Data Protection is got this concept of controller and processor. Where you as a controller, you're in charge of giving out the contracts you are employing a sub-processor, and they are acting on instruction, they are your processor, they are doing what you're telling them to do. But actually in the [inaudible] world, and that's kind of the way it works. Often the processes are bigger than the controller. You try telling Microsoft or Google or Salesforce or Amazon or Apple what to do. You say, well look, I'm the controller, you're my processor, you do what I tell you, and they'll go, look, you signed our contract to get our service. You can't change it. This is what we do. Take it or leave it, or go to our competitor, and guess what, their contract will be the same. I find it difficult. A lot of organizations have got limited capability to change these contracts. They've got limited capability to control their processes. Therefore, I actually worked quite a lot with the processes. I worked a lot with the providers, work a lot with the second parties who say, Hey, sign that contract, this is the way we work to make sure they have done the correct amounts of privacy by design. They have done the correct amount of Data Protection. Please use it as one of your purchasing decision-making to see what they have already done. Technically, they should be processing only on your documented instruction. They shouldn't be doing anything with the data that you tell them not to do. You need to make sure that your contracts includes all the different purposes that they might use it for subsequently. You got to have confidentiality and appropriate security. When we say appropriate security, please don't just say appropriate technical and organizational security. Because what they consider appropriate and what you consider appropriate might be different things. When you say what's appropriate security, I think you need to dictate what level of security you expect. A piece of wood in the hole for a door, that's a security measure. If that needs a key card or a keypad or a person with a gun standing outside of it, or a dog or access Control List, or the door needs to be made out of lead or metal or has a window in it or it needs to be reinforced or its key card or bio-metric. What's appropriate? Up to you to determine and up to you to communicate that onto your providers. Of course, if they're going to then sub-process, they might need to get your consent. In order to do that, you need to understand exactly what their ecosystem looks like, where the data goes, who they use to process their data. If the data is passed down the chain, you're going to need to understand that entire chain, who those processes are. If they want to change their sub-processes, well, they need to come to you and ask. That's a change of the contract if you like. What happens if things go wrong? What happens if people get in touch with them? Well, at the end of the day, if you're in charge, if you're the controller, well, the individuals should be getting in touch with you as a controller so that it becomes the processor or the subcontractor's obligation to assist with things like data breach notifications or providing for data subjects rights or getting rid of or deleting or returning the personal data, especially at the end of the contract. They've got to demonstrate their own compliance, of course, whether that's BG to the GDPR or, or other international privacy laws. The final, one of the most contentious ones here is about submitting towards it. I find that a lot of organizations don't want to submit toward it because otherwise, they'd be doing nothing but walking their clients around the data centers. I think rather than saying submit toward it, so which is what it says in the GDPR. I think we have to understand the level of assurance we want from that third party or second party, I should say. You were the one managing with that contract. How important is that supply to us? What risk do they manifest? I find that most organizations have always tiers of suppliers. Tier 1 critical suppliers. Tier 2, not as important, Tier 3 and Tier 4, not important at all. Depending on the tier of your supplier, you're going to want a different level of assurance from that supplier. You're going to want a different level of assurance that they are following exactly what you want them to follow. This includes things like transfers across the globe, international transfers. This is going to include things like security, it's going to include their data, use their subcontractors. You need to understand what that contract means to them, what they're going to do as a result of that contract, and how they're going to assure you that they are keeping up their end of the bargain. Because quite honestly, even though most breaches happen within the second party, within the processes, it's always the controller's name who's on the newspaper. What level of assurance have we got here? Well, a few were just a contract. That might be the level of assurance you want. Do we want again, audit badges from third parties from true third-party assessments or certifications to say, hey, they've got to good security, hey, they've got good data protection. You wouldn't carry your own assessments and audits. Even further than that, you need some performance indicators or reports from them on a regular or systematic basis. Do you need a weekly meeting or a daily core? Even more important, you need to monitor them live. I mean, how important is it for you to gain the level of assurance you want? Of course, if people don't work out, people don't work out. Or if you come to a contract end or want to change providers, you're going to want stuff in there that talks about how you terminate. What happens on that termination? I mean, do you get the data back? Do you get the personal data back? Are they going to delete it instead? What assurances do you have that they have deleted it? What about things like intellectual property or proprietary software? How is it going to operate at the end? Even if they do give you the data back, can you use it? Do they have some software that you need in order to process? Think about what's going to happen at the end of the contract as well. That's the end of all we're going to talk about the second party. Second parties become really important. Really important for organizations. No organization is an island anymore. Most organizations relies on other third parties or second parties to deliver their services. Today, we're just going to talk about a couple of other assessments that might be important for us to understand and assess where we are with data protection at the moment.
