The recent data breach at Loyaltybuild will have made many companies who transfer customer personal data to third party service providers nervous.
A breach of this nature has implications not only for the service provider / data processor, but also for the data controller involved – ie the company who engages the service provider to provide services involving the processing of its customer data. Such companies are, as data controllers, ultimately responsible under Data Protection law for its customer data.
The breach underlines the importance for data controllers of not only ensuring that they fulfil their obligations under law vis a vis their data processors, but also ensuring that such obligations are in fact complied with in practice.
In circumstances where a company wishes to engage a service provider who will, in the course of providing the services, process personal data on its behalf, there is a requirement under section 2C(3) of the Data Protection Acts 1988 and 2003 for there to be a written agreement between the parties which includes certain data processing language - ie a provision that the data processor will process personal data solely in accordance with the instructions of the data controller, that the data processor will comply with the data security obligations of the Data Protection Acts and that the data controller will have the right to verify the data processor's compliance with these obligations.
It is also recommended to include provisions requiring the service provider to: inform the data controller of any data breach and to cooperate with it in mitigating any such breach; inform the data controller of any data access request it receives and assist the data controller in complying with any such request; and not to transfer any personal data outside of the EEA without the consent of the data controller. In the case of reporting data breaches to the data controllers, this will also facilitate the data controller’s compliance with the Data Protection Commissioner’s Personal Data Security Breach Code of Practice.
If the parties will be signing up to a written services agreement, then the section 2C(3) contractual language can be included within the services agreement (instead of being included in a stand-alone data processing agreement).
Data controllers should also carry out regular audits of their data processors (visiting the data processor premises if necessary), in order to ensure that the data processors are, in practice, complying with the obligations set out in the data processing agreement. Data controllers should check, in particular, that the data processor has adequate security measures in place to safeguard the personal data, and that the data processor has procedures in place to ensure that security breaches are reported, as soon as practicable, to the data controller.