The European Union’s General Data Protection Regulation:
Under the GDPR, the data controller is responsible for assessing its processor’s compliance with the GDPR’s requirements. This assessment takes into account the nature of the processing and the risks to the data subjects. Article 28(1) of the GDPR states that “where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject.”
Although data controllers are primarily responsible for their processors’ GDPR compliance, this does not mean GDPR compliance isn’t a concern for the data processor or the vendor. Article 28(3) of the GDPR requires businesses to engage vendors for data processing with a written contract. The contract should set the subject matter, data processing duration, nature, and purpose of processing, the type of personal data and categories of data subjects, and the controller’s obligations and rights. Such a contract must stipulate that the vendor or processor will process the personal data only on documented instructions from the controller and other reasonable safeguards to ensure proper data privacy compliance under the GDPR.
However, a data controller would be primarily responsible for ensuring the compliance of its data processors. Regardless of the terms of the contract with a data processor, the data controller may face sanctions under the GDPR. Data controllers are also required to ensure data processors’ compliance on an ongoing basis to comply with the accountability principle and demonstrate due diligence under the GDPR.
The California Consumer Privacy Act:
Under the CCPA, businesses that share consumer personal information with vendors and service providers assess their vendors to understand existing gaps against CCPA. CCPA requires businesses to provide specified information to consumers about their vendor data sharing. It also requires companies to notify their vendors when a consumer has submitted a data subject rights request under the privacy law. Businesses also ensure that service provider entities understand and respect the consumers’ data rights and do not use the data in any manner inconsistent with CCPA requirements.
Under the CCPA, a service provider is an entity that processes information on behalf of a business (the data controller). For proper privacy compliance, the CCPA makes it mandatory for businesses to sign written contracts with vendors, service providers, or any other entities selling or disclosing consumer data for any commercial and business purpose. The contract should prohibit the service provider from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract. A service provider is liable for civil penalties if it uses the personal information received from businesses in violation of the CCPA. Suppose a service provider fails to cure CCPA violations within 30 days. In that case, it is liable for a civil penalty under laws pertaining to unfair competition in a lawsuit brought by the Attorney General.
With all these strict rules and regulations for data controllers and vendors in place, vendor assessments have become an obligation to stay compliant. It would allow data controllers to understand how to mitigate the risks of dealing with vendors. There have been various incidents in recent years where vendor data breaches have had catastrophic results. For example, in June 2019, an unauthorized user gained access to Quest Diagnostic’s sensitive data through a billing vendor named the American Medical Collection Agency (AMCA). The hacker gained access to sensitive data of 11.9 million patients, including credit card numbers, bank account information, and social security numbers. The Quest Diagnostic breach was the most significant vendor data breach of all time. This is why organizations need to be careful in conducting vendor assessments before onboarding a vendor data processing vendor. Assessing vendors before partnering up is empirical to thrive in an era of strict data privacy regulations. Even the smallest let up in controls, be it by a vendor, can severely dent an organization’s credibility.