Executive Summary
Engaging third parties to process personal data does not transfer accountability. The Data Fiduciary remains responsible for ensuring appropriate protection regardless of who performs the processing. This guide addresses how to select, contract with, and oversee data processors to maintain compliance.
Key Takeaways
- 1Conduct due diligence before engaging any processor handling personal data
- 2Implement data processing agreements with mandatory provisions
- 3Establish ongoing oversight mechanisms proportionate to processing risk
- 4Plan for processor transitions including data return and deletion
- 5Maintain documentation supporting the accountability chain
1Understanding the Fiduciary-Processor Relationship
Under DPDPA, the Data Fiduciary determines purposes and means of processing while processors act on the fiduciary's behalf. This creates a principal-agent relationship where the fiduciary retains accountability for processor activities. Processor failures can result in fiduciary liability.
2Pre-Engagement Due Diligence
Before engaging a processor, assess their capability to handle personal data appropriately.
Security Assessment
Evaluate the processor's security posture through questionnaires, certifications, audit reports, or on-site assessments as appropriate to the risk level.
Compliance Capability
Assess whether the processor understands and can comply with DPDPA requirements. Request evidence of their compliance programme.
Technical Capability
Verify that the processor has technical capabilities to fulfil data protection requirements including access requests, deletion, and breach notification.
Financial Stability
Consider the processor's financial stability. A processor that fails financially may not be able to maintain data protection or facilitate orderly transition.
Reference Checks
Seek references from other customers regarding the processor's data protection performance.
Practical Tips
- •Proportionality applies: a major cloud provider processing sensitive data warrants more diligence than a small contractor with limited access
- •Industry certifications like ISO 27001 provide evidence but do not substitute for specific due diligence
3Data Processing Agreements
Formal agreements establish processor obligations and fiduciary rights.
Processing Scope
Clearly define what processing the processor is authorised to perform, including data categories, purposes, and duration.
Security Requirements
Specify security measures the processor must implement. Reference specific standards or controls rather than vague best efforts.
Subprocessor Controls
Address whether the processor may engage subprocessors, under what conditions, and with what notice requirements.
Assistance Obligations
Require the processor to assist with Data Principal requests, audits, breach response, and impact assessments.
Breach Notification
Mandate prompt notification of any personal data breach, specifying timelines and information to be provided.
Audit Rights
Reserve the right to audit processor compliance, either directly or through independent auditors.
Termination and Transition
Address data return or deletion upon termination, transition assistance, and post-termination obligations.
4Ongoing Oversight
The relationship does not end with contract signing. Ongoing oversight ensures continued compliance.
Periodic Assessments
Conduct regular assessments of processor compliance. The frequency and depth should reflect processing risk.
Certification Monitoring
If relying on certifications, monitor their currency. Expired or revoked certifications may indicate compliance problems.
Incident Review
Review any incidents involving the processor, even those that did not result in breach. Patterns may indicate systemic issues.
Performance Metrics
Track processor performance on data protection obligations such as request response times and security metrics.
Change Monitoring
Stay informed of significant changes in processor operations, ownership, or subprocessor relationships that might affect risk.
5Managing Subprocessors
Many processors engage their own subprocessors, creating extended processing chains.
Visibility
Require processors to disclose subprocessors and maintain current lists. You cannot assess what you cannot see.
Flow-Down Requirements
Ensure processor agreements require subprocessors to be bound by equivalent obligations.
Change Notification
Require advance notice of new or changed subprocessors, with opportunity to object.
Subprocessor Assessment
For significant subprocessors, consider conducting direct assessment or requiring processors to share their diligence results.
6Handling Processor Transitions
Changing processors requires careful planning to protect data throughout the transition.
Transition Planning
Develop detailed plans for data migration, including timelines, responsibilities, and verification procedures.
Data Extraction
Extract data from the outgoing processor in usable formats. Verify completeness and integrity.
Migration Execution
Transfer data to the new processor using secure methods. Minimise the window of parallel processing.
Data Deletion
Require the outgoing processor to delete all personal data after successful migration. Obtain certification of deletion.
Contractual Wind-Down
Manage contract termination according to terms, addressing any ongoing obligations such as confidentiality.
7Documentation
Maintain comprehensive records of processor relationships and oversight activities.
Processor Inventory
Maintain current lists of all processors, the data they process, and relevant contract details.
Due Diligence Records
Preserve evidence of due diligence conducted before and during engagements.
Contracts and Amendments
Maintain executed agreements and any modifications.
Oversight Records
Document oversight activities including assessments, audit findings, and issue resolution.