Best-Practice Data Transfers for Canadian Companies – III – Vendor Contracts

PREPARING FOR DATA TRANSFER – CLAUSES FOR VENDOR CONTRACTS

A three-part series from KI Design:

Part I: Data Outsourcing

Part II: Cross-border Data Transfers

Part III: Preparing for Data Transfer – Clauses for Vendor Contracts

The following guidelines are best-practice recommendations for ensuring that transferred data is processed in compliance with standard regulatory privacy laws.

While a contract creates legal obligations for a Vendor, your company must still take proactive measures to oversee data protection, as it retains legal responsibility for transferred data. So where the Vendor is providing services that involve data transfer, include the following clauses in your contract:

Privacy and Security Standards

  1. The Vendor confirms that it will manage the data through the data lifecycle according to the privacy standards followed by (your company). The Vendor will provide documentation to confirm that these standards are being followed.
  2. The Vendor will demonstrate that it has audited, high-level technical and organizational security practices in place.
  3. The Vendor will ensure that all data to be transferred is encrypted or de-identified as needed.
  4. If the Vendor will be using another downstream data processor to fulfill part of the contract, the Vendor will inform (your company) of this, and will implement with that third party a contract containing data protection measures equal to those in the contract between (your company) and the Vendor.

Integrity of Data

  • The Vendor will ensure that all data to be transferred is within the limits of the original intended purpose of data collection.
  • The Vendor will ensure that all data to be transferred is accurate, current, and complete. Data will be updated or deleted as needed, and confirmation will be provided that this has occurred.

Data Breaches

  • The Vendor confirms that it has insurance that will cover a data breach.
  • The Vendor confirms that it will notify (your company) immediately in the event of a data breach.

Data Ownership

  • Ownership of data assets transferred to the Vendor remains with (your company).

Auditing

  • The Vendor agrees to ongoing monitoring of the data transfer process by (your company), and will provide any data that (your company) requests for auditing purposes.

OTHER THINGS TO CONSIDER

Have you:

  • Ensured that your Vendor has a high level of technical expertise?
  • Familiarized yourself with all relevant legislation, both in your home jurisdiction and the jurisdiction into which the data will be transferred?
  • Done a risk analysis of the data transfer, so that you are aware of potential security risks?
  • Done a data breach impact assessment, so that you’re aware of any areas of potential risk, and have planned out how your organization would respond to a breach?
  • Ensured that your contract spells out the precise responsibilities of each party regarding data security through the different stages of the data life cycle?
  • Confirmed with your Vendor that the Vendor’s own legal requirements under the GDPR will not be compromised by any part of the contract?
  • If the data will be crossing jurisdictional boundaries, have you notified data subjects that their personal information is being transferred, and why? Have you tagged the data with its country of origin and the data subject’s “opt in/opt out” preferences?

Focusing on data protection issues from the procurement process onward will diminish data breach and other security risks. Create a Request For Proposals template that ensures security elements are included in the evaluation process, and audit and monitor outsourcing operating environments for early detection of any suspicious activity. Limit data transfers across company, provincial, or national borders, and avoid any unintended cross-border data transfers.

REMEMBER: Your company is still legally responsible for transferred data

A three-part series from KI Design:

For further information on data transfers, and privacy compliance matters generally, see book of  Privacy in Design: A Practical Guide to Corporate Compliance, available on Amazon.