Written by Rena Mears, Ryan Sulkin, Eric Roth and Jim Halpert
Controllers need to negotiate contract terms with third-party controllers and processors that are consistent with the controller’s obligations under the Shield. By Rena Mears, Ryan Sulkin, Eric Roth and Jim Halpert.
The Privacy Shield’s heightened infrastructure, regulatory, and documentation requirements present participating companies with new compliance requirements when transferring EU personal data to data controllers or data processors in the US. These conditions come at a time when many sectors use increasingly complex vendor “ecosystems” that process personal data and the US Federal Trade Commission (FTC) is signaling that companies have greater oversight obligations over vendors that process personal data.
Traditional supply chain models envisioned a limited number of third-party entities each providing directly to a data controller well documented services that result in an end product that was ultimately unaltered from its original design. However, today’s technology-driven ecosystems have made the traditional supply chain methodology virtually obsolete. With the explosive increase in data-driven services, all certifying companies, both small and large, must now understand how the Privacy Shield will affect their existing vendor management processes.
An effective vendor risk management program integrates strong contract provisions alongside a comprehensive operational vendor risk assessment methodology. This article shows how to adapt such a methodology to entities that certify under the Privacy Shield.
DRAFTING AND NEGOTIATING CONTRACTS WITH THIRD PARTIES
The EU-US Privacy Shield requires first party controllers who certify under the program to enter into a contract with third-party controllers (including affiliates within a same corporate group) that provides that:
- Privacy Shield personal data may be processed only for limited and specified purposes consistent with the notice provided to the individual (and the consent obtained if consent is obtained); and
- The recipient will provide the same level of protection as the EU-US Privacy Shield Principles for the Privacy Shield personal data, will notify the controller if it makes a determination that it can no longer meet this obligation and, if so, cease processing or take other reasonable and appropriate remedial steps.
To transfer Privacy Shield personal data to a third party acting as a processor, organizations must:
- Transfer such data only for limited and specified purposes;
- Ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles;
- Take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles;
- Upon receipt of notice from the processor that it can no longer meet Privacy Shield requirements, take reasonable and appropriate steps to stop and remediate unauthorized processing; and
- Provide a summary or a representative copy of the relevant privacy provisions of its contract with that processor to the Department of Commerce upon request.
Accordingly, when negotiating contracts with third party controllers and processors, first party data controllers should consider the following (note: beyond negotiating contracts that address the bulleted points above, each of the steps described below is not specifically called out as required by the Privacy Shield ):
- Conduct a reasonable amount of due diligence on the third party controller, to confirm that the third party controller is capable of providing the level of security required by the EU-US Privacy Shield — namely “reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data.” While the EU-US Privacy Shield does not specify the exact type or amount of due diligence required, sound due diligence may include requiring the Vendor complete a security-assessment questionnaire, requesting supporting documentation, and if warranted, performing follow-up interviews and on-site information gathering tailored to the risks posed by the circumstances at-hand.
- Determine and notify the third party of the purposes for which the vendor is permitted to process the data pursuant to notices provided and consents obtained by the first party data controller.
- Negotiate contract provisions consistent with the controller’s obligations under the EU-US Privacy Shield (as described in the bullet points above in this Section) and leverage contract language, to the greatest extent possible, that uses the same words found in the EU-US Privacy Shield (again, as stated in the bulleted points above in this Section). Further, the third party should be prohibited from engaging any downstream processors or controllers without the first party controller’s prior consent and any first party controller-permitted additional controllers or processors that are engaged by the third party must be bound to terms that are consistent with the EU-US Privacy Shield and the agreement between the first party controller and the third party. The third party should be responsible to the first party controller for any downstream controller or processor failures.
- Seek contractual terms that:
(i) list specific security protocols with which the third party controller must comply. By way of example, request comprehensive information security policies, robust encryption at all times, strong password policies, limited user access and strong access controls, vulnerability testing and remediation, logging and monitoring, independent third party assessments based on appropriate criteria and compliance with established standards issued by organizations such as NIST or ISO;
ii) provide audit rights allowing the controller periodically to review and access third party controller compliance. The audit rights should include a review of the specific physical, technical, administrative and organizational security measures in place, both at the document/policy level and at the operational level (e.g., visits to data centers and the like);
iii) create indemnification rights in favor of the controller in the event that the third party controller violates its commitments under the agreement; and
iv) create meaningful liability exposure for the third party controller in the event that it violates the EU-US Privacy Shield-related provisions of its agreement with the controller.
In negotiating agreements with third party vendors certifying organizations should be mindful of the dynamics of the negotiation. Third party vendors will each have their own position on what constitutes appropriate security and the appropriate amount of liability for the vendor to absorb in the event of a data breach or contract violation. Controllers should develop and strive to formulate a minimum bar for security that is applied to all third party vendors grounded in defensible, industry best practices as to information security in light of the sensitivity of the personal data at-issue. Some third party vendors will not have all of the security measures sought by the controller, but the minimum bar deemed required by the controller should always be in place. Further, if a vendor is seeking to limit its liability vis-a-vis the controller, the controller should consider the request in the context of the commercial need for the contract being negotiated, the risk and magnitude of the potential loss to the controller in the event of a breach of that contract by the third party controller (consider fines, penalties, regulatory scrutiny, reputational harm, costs and expenses), the sensitivity of the data being placed with the vendor and how the contract at-issue fits into the overall portfolio of risk undertaken by the controller vis-a-vis other third party controllers and processors.
RISK MANAGEMENT EXTENDS BEYOND CONTRACT LANGUAGE
Companies with under-developed privacy and security programs typically rely upon contractual agreements in lieu of conducting security and privacy assessments of third parties. However, in the case of EU data that would give rise to a data breach notification obligation (bearing in mind that the GDPR will create those obligations across Europe, starting in May 2018), relying solely on contract provisions is wishful thinking when it comes to safeguarding confidential data. Under the new Privacy Shield framework, supplementing contract language with rational risk-based methodologies and operational controls is now important to safeguarding first party controller data that has been entrusted to others. While the text of the Privacy Shield does not explicitly call for an audit or assessment of third party vendors, the FTC has traditionally required some form of due diligence by the data controller of the vendor so that contract language is actually being enforced. Therefore, organizations subject to FTC enforcement are expected to adopt operational practices that govern third party data management practices extending beyond policy and contract language.
OPERATIONAL METHODOLOGY FOR VENDOR RISK MANAGEMENT
Global businesses are quickly becoming modular enterprises that outsource core components of their products and infrastructure to specialized vendors. Relying on third party platforms for cloud-based solutions, user access management, and other multi-tenant back end functions, while necessary to maintain competitive and enable cost effective growth, obscures an organization’s ability to understand and control sensitive data that flows through an expanding data ecosystem. This fragmentation requires an increased level of awareness and oversight by the data controller. Third party software is so deeply integrated into fundamental business processes that all organizations inevitably have direct and indirect relationships with third, fourth, and Nth party vendors, whether they are aware of these vendors or not.
Outsourcing functions and operations inherently increases the risk of regulatory violations. However, by conducting a detailed supply chain analysis and adopting a rational operational methodology, companies can better understand and mitigate the challenges of protecting sensitive or confidential information shared with external entities.
Step One – Evaluating Risk: Before approaching an assessment under the Privacy Shield framework, develop and communicate your organization’s approach to managing data risks created through outsourcing. Evaluate the risk that potential or current vendors pose to the data of your company. A partial list of factors to consider includes privacy implications, security standards, regulatory restrictions (both at home and abroad), and potential downstream processors.
Step Two – Identify Vendors and Services: Conduct a comprehensive vendor inventory to identify all relevant third parties and applications. This can be achieved by scheduling interviews with department managers to identify and document all in-scope services and systems. Be sure to include company affiliates in this process, as they may be considered separate legal entities under EU data protection law.
Step Three – Identify Trans-Atlantic Data Flows and Applicable Processes: Identify the individual processes or activities that require providing access to sensitive or confidential information. Then, identify the outsourcing relationships responsible for processing personal data under the scope of the Privacy Shield certification by focusing on data flows coming from the EU to the US. To effectively account for all data, create data flow diagrams to provide visibility into potential outside vendors that could have access to personal or confidential information. These data maps will assist your organization in identifying when to provide appropriate notice to the data subject. For example, the notice principle under Privacy Shield requires the data controller to notify the data subject before the personal data is first disclosed to a third party.
Step Four – Establish Rational Criteria to Evaluate Risk: Develop criteria to benchmark a vendor’s privacy and security practices. Each company will have its unique criteria tailored to its own business practices. Some factors that may be considered are the vendor’s reputation, the level of access and system integration granted, the sensitivity of accessible data, the number of previous data breaches reported by Vendor, as well as the Vendor’s existing privacy and security programs.
Step Five – Identify Methods to Evaluate Vendors: Create a logical scoring mechanism to evaluate a vendor’s infrastructure and business practices. Always baseline your assessment against authoritative literature. In this case, the Privacy Shield Principles would be the primary source of guidance, but organizations can also supplement with ISO, or NIST standards.
Step Six – Determine Risk Threshold and Risk Ranking: Each organization has a different tolerance for risk depending on the nature of the products or services and the types of personal data it collects. Based on the criteria established above, categorize each vendor as a Low, Moderate or High risk.
Step Seven – Conduct Risk Assessment Based Vendor Risk Level: When conducting a third party vendor risk assessment companies may utilize a single or combination of methods to evaluate risk and assess compliance, these approaches include but are not limited to: 1) self-assessment and reporting by the vendor, 2) leveraging existing company internal resources (such as Internal Audit personnel), or 3) reporting provided by external independent assessors.
The assessment should provide assurance to the company sharing the data, i.e. the receiving entities have adequate safeguards, to ensure the data is processed only for limited and specified purposes consistent with the notice provided and will provide the same level of protection as required by the EU- US Privacy Shield Principles. Additionally, companies should ensure that the data processor has a procedure in place to notify the data controller if it can no longer meet its obligation to provide the Privacy Shield level of protection.
Step Eight – Report and Track Assessment: Schedule a timeline for all vendor assessment activities and include deadlines for reports. Each stage of the process should be clearly documented and easily accessible for senior management.
This will help streamline the vendor risk management process for future engagements. Most importantly, detailed and organized documentation of the program and assessment process provides clear evidence of a serious, formal process in the event of an investigation by a regulatory body. Step Nine – Build an Exception Process: Depending upon an organization’s operations, some or many vendors and applications may fall outside the scope of the Privacy Shield, so an exception process should be developed and documented. The purposes for each specific exception should be justified, documented, and reported to management. For example, Privacy Shield carves out specific exceptions for journalistic, audit and investment banking activities.
Step Ten – Work with Management to Build Remediation Activities: Establish clear reporting and communication channels within the company. This includes creating a process for reporting vendor risks or discrepancies to senior management or the board of directors and promotes transparency within the organization.
Step Eleven – Maintain Program and Conduct Periodic Reassessments: Assign designated personnel and resources to conduct ongoing monitoring of the program and continue to evaluate the vendor risk management program on an annual or bi-annual basis. This individual could be a chief privacy officer or an employee within the privacy, compliance, or legal department, depending on the size of the organization.
USE CASES: APPLICATION OF METHODOLOGY
US Based Supplier with EU Presence:
As an example, consider a US Based Supplier (“Supplier”) has subsidiary offices in the EU as well as a heavy marketing presence in EU. Supplier will be subject to the jurisdiction of GDPR come May, 2018, and Supplier self-registers with the Privacy Shield. Supplier must first identify all flows of EU data entering the United States.
Then Supplier has to identify and inventory all third party vendors with access to EU customer or employee data and identify the applications and data elements incorporated within each data flow. Next, Supplier must ensure that all contracts with these vendors are updated to contain the necessary provisions required for compliance under Privacy Shield. This process may not be as straightforward as it sounds. Third party vendors typically push back on certain provisions regarding liability, stall and delay during the negotiation process, or, in the case of larger vendors with greater bargaining power, adopt a take-it-or-leave it approach, and refuse to amend any contract language all together.
After the contracting phase, Supplier must now implement an internal methodology to determine that each vendor maintains adequate security standards for safeguarding EU data as stated in the contract. Depending upon the sensitivity of the data, this may include conducting or contracting for periodic on-site assessments of vendor’s facility.
Cloud-Based Global Software Company: Diving deeper into the Privacy Shield, consider the example of a cloud-based software company (“Cloud Company”) offering Human Resources (“HR”) software and services for employee time and expense management. The company maintains sensitive data elements such as employee name, social security number, salary and benefits information, and employee performance data.
Cloud Company manages and stores this data on behalf of other organizations from around the world. Assume Cloud Company has existing contract language in place for managing and restricting trans-border data flows, with certain exceptions built in for specific client needs. However, under the new Privacy Shield framework, to the extent that it is relying on Privacy Shield to transfer EU personal data to the US, Cloud Company must reassess its internal processes and vendor agreements to comply with the Privacy Shield’s supplemental principles for HR data. This means that if Cloud Company engages another data storage company in the United States (for scenarios such as data overload, disaster management, or data backup) that is not Privacy Shield certified, additional provisions will be required to safeguard EU data, such as de-identification or pseudonymization of all EU Data. As a best practice, Cloud Company should conduct or contract for routine privacy and security assessments to ensure that vendor’s operations align with the contract provisions and Privacy Shield principles.
USING EXTERNAL PROFESSIONAL SERVICES
Determine if your organization has adequate resources to manage the risks of outsourcing EU data, if not, consider engaging a third party to assist with the process. Engaging a qualified external legal and consulting practice can help an organization overcome shortcomings typically overlooked during an internal self-assessment. In addition, experienced professionals can provide step by step guidance during the process, yielding higher quality assessments and mitigating the potential risks of regulatory sanctions and reputational damage.
 See: www.statista.com/statistics/ 273550/data-breaches-recorded-in- the-united-states-by-number-of- breaches-and-records-exposed/
 See 1.b Notice
 See 2. Journalistic Expectations and 4. Performing Due Diligence and Conducting Audits
 See Principle 9. Human Resources Data; EU-US Privacy Shield: www.commerce.gov/page/eu-us- privacy-shield