Categories: Privacy

Best-Practice Data Transfers for Canadian Companies – III – Vendor Contracts

PREPARING FOR DATA TRANSFER – CLAUSES FOR VENDOR CONTRACTS

A three-part series from KI Design:

Part I: Data Outsourcing

Part II: Cross-border Data Transfers

The following guidelines are best-practice recommendations for ensuring that transferred data is processed in compliance with standard regulatory privacy laws.

While a contract creates legal obligations for a Vendor, your company must still take proactive measures to oversee data protection, as it retains legal responsibility for transferred data. So where the Vendor is providing services that involve data transfer, include the following clauses in your contract:

Privacy and Security Standards

  1. The Vendor confirms that it will manage the data through the data lifecycle according to the privacy standards followed by [your company]. The Vendor will provide documentation to confirm that these standards are being followed.
  2. The Vendor will demonstrate that it has audited, high-level technical and organizational security practices in place.
  3. The Vendor will ensure that all data to be transferred is encrypted or de-identified as needed.
  4. If the Vendor will be using another downstream data processor to fulfill part of the contract, the Vendor will inform [your company] of this, and will implement with that third party a contract containing data protection measures equal to those in the contract between [your company] and the Vendor.

Integrity of Data

Data Breaches

Data Ownership

Auditing

 

OTHER THINGS TO CONSIDER

Have you:

Focusing on data protection issues from the procurement process onward will diminish data breach and other security risks. Create a Request For Proposals template that ensures security elements are included in the evaluation process, and audit and monitor outsourcing operating environments for early detection of any suspicious activity. Limit data transfers across company, provincial, or national borders, and avoid any unintended cross-border data transfers.

REMEMBER: Your company is still legally responsible for transferred data

A three-part series from KI Design:

For further information on data transfers, and privacy compliance matters generally, see Waël Hassan’s book Privacy in Design: A Practical Guide to Corporate Compliance, available on Amazon.

 

Article info



Leave a Reply