SlideShare une entreprise Scribd logo

Data Protection Compliance Check - Outsourcing - Part 2 "Paper" (C2P relationship)

Télécharger en tant que DOC, PDF
T
Tommy Vandepitte

Outsourcing data processing operations entails specific risks and requirements under the law and under sound risk management. Therefore a set of three templates is developed to look at outsourcing of data processing operations: (1) the (internal) organisation of the controller including policies and procedures, (2) the relationship between the controller and the processor, mainly via the agreement and (3) the (internal) organisation of the processor. This template aims to give guidance to a check on a specific relationship between a controller and a processor, thus limiting the scope. The DPCC contains checklists. They aim to provide some guidance in the check. However, be aware that some (parts of) checklists may not apply and that no checklist ever includes all possible relevant questions. So check with open eyes. This template addresses that relationship looking at several stages from the controller side (a) in the selection, (b) in the agreement and (c) in (the follow-up of) the performance. This template should be used in a risk-based fashion. Therefore it is expected that critical, key, and/or high-risk outsourced data processing operations of the controller are submitted to a check with priority. The result of this check hopefully is a certain comfort in the application of the controller’s procedures and rules with regard to outsourcing data processing operations. If such comfort is not found, it should be determined whether amends can be made, through an amendment to the agreement or the follow-up mechanisms, or a better discipline in applying them. Also, lessons may be learnt with regard to the effectiveness of the controller’s procedures and rules.

DroitBusinessTechnologie
1  sur  26
DPCC – Outsourcing - Paper @TommyVandepitte DATA PROTECTION COMPLIANCE CHECK OUTSOURCING FOCUS ON RELATIONSHIP C-P Summary Explanation of this Document Outsourcing data processing operations entails specific risks and requirements under the law and under sound risk management. Therefore a set of three templates is developed to look at outsourcing of data processing operations: (1) the (internal) organisation of the controller including policies and procedures, (2) the relationship between the controller and the processor, mainly via the agreement and (3) the (internal) organisation of the processor. This template aims to give guidance to a check on a specific relationship between a controller and a processor, thus limiting the scope. The DPCC contains checklists. They aim to provide some guidance in the check. However, be aware that some (parts of) checklists may not apply and that no checklist ever includes all possible relevant questions. So check with open eyes. This template addresses that relationship looking at several stages from the controller side (a) in the selection, (b) in the agreement and (c) in (the follow-up of) the performance. This template should be used in a risk-based fashion. Therefore it is expected that critical, key, and/or high-risk outsourced data processing operations of the controller are submitted to a check with priority. The result of this check hopefully is a certain comfort in the application of the controller’s procedures and rules with regard to outsourcing data processing operations. If such comfort is not found, it should be determined whether amends can be made, through an amendment to the agreement or the follow-up mechanisms, or a better discipline in applying them. Also, lessons may be learnt with regard to the effectiveness of the controller’s procedures and rules. @TommyVandepitte @TommyVandepitte 1
DPCC – Outsourcing - Paper @TommyVandepitte Content Summary Explanation of this Document....................................................................................1 Content................................................................................................................................................... 2 Basics...................................................................................................................................................... 3 DPCC – Outsourcing .................................................................................................................................... 3 DPCC ID........................................................................................................................................................... 3 Scope................................................................................................................................................................ 3 Overview of the Checks....................................................................................................................4 Selection of the processor...............................................................................................................5 Background Info of the Selection Process............................................................................................5 Documentation............................................................................................................................................. 5 Criteria............................................................................................................................................................ 8 Decision........................................................................................................................................................ 12 Conclusion................................................................................................................................................... 14 Agreement with the processor....................................................................................................15 Conclusion................................................................................................................................................... 18 Follow-up of the processor...........................................................................................................19 Conclusion .................................................................................................................................................. 23 References.......................................................................................................................................... 24 Activity Log................................................................................................................................................. 24 Documentation received ........................................................................................................................ 25 Interviews & Questionnaires................................................................................................................. 26 @TommyVandepitte @TommyVandepitte 2
DPCC – Outsourcing - Paper @TommyVandepitte Basics DPCC – Outsourcing On outsourcing there are a number of checks to be installed. On outsourcing of data processing operations in itself there are grosso modo three angles to look at: (1) the (internal) organisation of the controller including policies and procedures, (2) the relationship between the controller and the processor, mainly via the agreement and (3) the (internal) organisation of the processor. The check on the relationship between the controller and the processor is addressed in several stages: in the selection, in the agreement and in (the follow-up of) the performance. This DPCC aims to check and look for possible improvements in these approaches from a data protection perspective. The DPCC contains checklists. They aim to provide some guidance in the check. However, be aware that some (parts of) checklists may not apply and that no checklist ever includes all possible relevant questions. So check with open eyes. DPCC ID Planning reference <reference to the DPCC overall planning, if any> Prior similar DPCC(s) <reference to similar DPCC, in case a DPCC with similar scope was performed, and is now repeated, for reasons of comparison over time> Date / Period DPCC <date on or period in which the DPCC will be performed + as the case may be estimate v actual mandays needed > (Lead) Checker <name of the lead checker > Departments of Controller involved <departments involved e.g. through requests for documentation, interviews, … most likely the procurement department, legal department, department that is accountable for the data set and should have an outsoucing manager, etc.> Budget reference <reference to the budget, if any> Reporting line <recipients of the results, departments, fuctions and/or names> Scope The scope is determined based on a target controller-processor relation with a potential further narrowing of the scope to a particular data set and/or data processing operation. During the actual check it is possible that this has to be slightly refocused as the scoping is generally based on some assumptions. Should a refocus be significant, the DPCC may be restarted or continue under a strict focus. In any case such discovery of assumptions being wrong is reported to increase the knowledge of the data processing operations in the organisation. Parties Controller(s) in scope <name controller> Processor(s) in scope <name processor> Data set Data Subjects <category(ies) of data subjects, if not sure at start of DPCC: assumption> Data (Categories) <category(ies) of data, if not sure at start of DPCC: assumption> Purpose <purpose(s) for which the data is used, if not sure at start of DPCC: assumption> Processing by the Processor(s) Types of processing <types of processing by the processor with regard to the data set, if not sure at start of DPCC: assumption> <consider: collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction> @TommyVandepitte @TommyVandepitte 3
DPCC – Outsourcing - Paper @TommyVandepitte Overview of the Checks Overview testings 1 Selection of the processor: The controller that uses the services of the processor has (have) to take into account that the chosen processor offers adequate garantees on the technical and organizational security measures with regard to the outsourced data processing operations. 2 Agreement with the processor: The controller that uses the services of the processor should have a written agreement with the processor, which must include compulsory provisions and (best) should include useful provisions. 3 Follow-up of the processor: The controller that uses the services of the processor should have a procedure in place to follow-up the performance of the processor (with regard to data protection). @TommyVandepitte @TommyVandepitte 4
DPCC – Outsourcing - Paper @TommyVandepitte Selection of the processor Background Info of the Selection Process When did the selection process take place? Start date of the selection process <date> What is considered the start of the selection process?  Formal decision to outsource  Sending out the RFI  Other: … End date of the selection process <date> What is considered the end of the selection process?  BOFA of the processor  Formal decision to outsource to this processor  Date of execution / signature of the agreement with the processor  Other: … Who within the controller (department, function, name) was involved in the selection process?  Background: These people are potential interviewees should the documentation give an insufficiently detailed view on the situation or even next to sufficient documentation to see whether the documentation is complete.  Note: It is possible that not all persons involved or all parameters are known. Try to get at least the information on the key people involved. Task(s) Name Function Department Lead negotiator Representative of business involved Legal support Decision taker Documentation Did the controller that uses the services of the processor document the selection process? Namely that the processor (to be) chosen offers adequate garantees on the technical and organizational security measures with regard to the data processing operations.  Background / Assumption  A structured selection has several phases like research for potential players (e.g. via a search in publicly available information or a Gartner Magic Quadrant), Request for Information (RFI), Request for Proposal (RFP), Best and Final Offer (BAFO), decision, adjudication, etc.  Even in an unstructured selection process documents are exchanged back and forth between the parties and some internal memo are drafted to support the decision.  Suggestions @TommyVandepitte @TommyVandepitte 5
DPCC – Outsourcing - Paper @TommyVandepitte  Most likely this documentation, if any, is kept at the procurement or legal department, in the same file as the agreement with the processor. At least they should / could now where it is kept.  Do not accept the statement that there is such documentation, in the context of this DPCC, the documentation should be presented for review. Add the documentation received or reviewed in the list in annex. . General Data protection is inserted in the documentation of the selection process of a processor  No.  Yes. . Approach (applied in the case in scope) What is the approach or are the approaches to inserting data protection in the selection process?  Research of the publicly available credentials / reference of the candidates.  Questions to the candidates.  Documentation presented by the candidates. Type of questions  Not applicable.  Open questions.  Closed questions (i.e. seeking specific answers or yes/no answers). Proof provided by the processor  None.  Documents/policies.  Certifications.  Control results.  Control / visit by controller. . Per phase: was data protection inserted in a phase (applied in the case in scope) Included in the basic requirements to participate in the selection process (e.g. general or specific buyer terms of the controller)  No.  Yes. Included in the RFI – sent out by the controller  No.  Yes. Included in the RFI – response by the processor  No.  Yes. Included in the RFP – sent out by the controller  No.  Yes. Included in the RFP – response by the processor  No.  Yes. Included in the BAFO  No.  Yes. Included in the decision to choose the processor  No. @TommyVandepitte @TommyVandepitte 6
DPCC – Outsourcing - Paper @TommyVandepitte  Yes. @TommyVandepitte @TommyVandepitte 7
DPCC – Outsourcing - Paper @TommyVandepitte Criteria The controller that uses the services of the processor has to take into account that the chosen processor offers adequate garantees on the technical and organizational security measures with regard to the data processing operations. What criteria were used to that extent?  Suggestions  Look for predetermined criteria (explicitly) being used to select the processor and for criteria that may not have been predetermined, but de facto were used. . Criteria (explicitly or implicitly applied in the case in scope) Criterion Used? How applied to processor? Is the processor a member of the economic group of the controller?  No.  Explicitly.  Implicitly.  Processor is group member.  Processor is no group member. Is the processor located in the same country as controller, in the European Union, European Union or a country ensuring an adequate level of data protection?  No.  Explicitly.  Implicitly.  Processor is located in the same country as the controller.  Processor is located in the EU.  Processor is located in the EEA outside EU.  Processor is located in a country ensuring an adequate level of data protection outside EEA.  Processor is located in a country not ensuring an adequate level of data protection. Is any processing operation by the processor located in a country not ensuring an adequate level of data protection?  No.  Explicitly.  Implicitly.  No, all processing operations are to be performed in the EU.  No, all processing operations are to be performed in the EEA outside EU.  No, all processing operations are to be performed in a country ensuring an adequate level of data protection outside EEA.  Yes, some processing operations are to be performed in a country not ensuring an adequate level of data protection: namely <processing operation> in <country>. Is the processor under a duty of confidentiality?  No.  Yes, the processor is under a statutory duty of confidentiality which is criminally @TommyVandepitte @TommyVandepitte 8
DPCC – Outsourcing - Paper @TommyVandepitte  Explicitly.  Implicitly. sanctioned for the processing in scope.  Yes, the processor is under a statutory duty of confidentiality which is not criminally sanctioned for the processing in scope.  Yes, the processor is under a deontological duty of confidentiality which is sanctioned by a professional ethics body for the processing in scope.  Yes, the processor is under a contractual duty of confidentiality.  No, the processor is not under a duty of confidentiality. What is the processor’s image with regard to data protection (i.e. presentation by the company itself)?  No.  Explicitly.  Implicitly.  No information available.  The processor did not profile itself with regard to data protection.  The processor profiled itself with regard to data protection as being compliant.  The processor profiled itself with regard to data protection as going beyond compliance, striving for a very high level of data protection and/or information security.  The processor profiled itself with regard to data protection (bindingly) commiting to go beyond compliance, striving for a very high level of data protection and/or information security. What is the processor’s reputation with regard to data protection (i.e. public perception)?  No.  Explicitly.  Implicitly.  No information available.  The available information does not indicate negative experiences.  The available information seems to support data protection compliance. What is the processor’s experience in the handling of personal data?  No.  Explicitly.  Implicitly.  No, handling personal data is exceptional for the processor.  Yes, handling personal data is a service commonly supporting the core business of the processor.  Yes, handling personal data is the core business of the processor. Does the processor have a Data Protection Officer and/or Information Security Officer in place, that the controller could talk to during the selection?  No.  Explicitly.  Implicitly.  No information available.  No DPO or ISO appointed.  A DPO and ISO appointed, but no access to them.  A DPO and ISO appointed, and fairly free access to them. @TommyVandepitte @TommyVandepitte 9
DPCC – Outsourcing - Paper @TommyVandepitte Does the processor have Binding Corporate Rules for Processors in place, that have been acknowledged by the relevant Data Protection Authorities?  No.  Explicitly.  Implicitly.  No information available.  No the processor does not have BCRs in place.  The processor has BCRs in place and makes them publicly available (e.g. on their website).  The processor has BCRs in place and spontaneously made them available during the selection process.  The processor has BCRs in place and made them available during the selection process but only on persistent request. How did the delegation of the processor respond to the interview by the Data Protection Officer and/or Information Security Officer of the controller?  No.  Explicitly.  Implicitly.  The interview did not take place.  The processor gave the impression of considering data protection a cost-factor.  The processor gave the impression of considering data protection a burden.  The processor did not give the impression to be engaged in data protection.  The processor gave the impression of being actively engaged in data protection.  The processor gave the impression of having a true data protection culture in place. Did the processor provide copies of its most relevant internal policies? Did they show competence and where they reasonable?  No.  Explicitly.  Implicitly.  None that we are aware of.  No, the processor did not provide such documents even when requested.  Yes, the processor provide such documents upon request.  Yes, the processor provide such documents even without being requested.  Yes, the processor provide such documents, in such a way that some weakinesses in its frameworks could be detected. Did the processor have past incidents with regard to handling data? How where they handled?  No.  Explicitly.  Implicitly.  None that we are aware of.  Yes. The processor reluctantly admitted to them.  Yes. The processor was very transparent about how they handled them. Did the processor incur sanctions in relation to handling data?  No.  Explicitly.  None that we are aware of.  No, the processor made a warranty during the selection process that there were no such sanctions imposed. @TommyVandepitte @TommyVandepitte 10
DPCC – Outsourcing - Paper @TommyVandepitte  Implicitly.  Yes, the processor openly admitted to it.  Yes, the processor admitted to it but only on persistent request. Did the processor give remarkable answers to the questions on data protection / security in the selection process? (e.g. mistakes with regard to technical features, norms, certificates, internal policies, etc.)  No.  Explicitly.  Implicitly.  None that we are aware of.  Yes, the processor did not seem to be bothered by them.  Yes, the processor later rectified in writing. Might the overall (financial) situation of the processor have an impact on data protection? E.g. tendency to grow by acquisition, to risky financial situation, to be active in corruption prone countries, etc.  No.  Explicitly.  Implicitly.  None that we are aware of.  Yes, but this was not picked up during the selection process.  Yes, further information was provided by the processor during the selection process.  Yes, warranties were provided by the processor during the selection process. Is there relevant prior audit assurance available (e.g. from third party audits)?  No.  Explicitly.  Implicitly.  No relevant prior audit assurance available.  ISO27001 certified in the last 3 years.  SOC1 or SOC2 made available by the processor.  Other: xxx What was the advice of the Data Protection Officer and/or Information Security Officer of the controller?  No.  Explicitly.  Implicitly.  No advice from the DPO or ISO.  Negative advice or high risk warning from the DPO or ISO.  Advice to put some additional saveguards in place.  Nihil obstat from the DPO and ISO. Intermediary conclusion:  The criteria to assess the data protection risk were explicit, reasonable and coherent.  The criteria to assess the data protection risk were reasonable and coherent, even if implicit.  The criteria to assess the data protection risk cannot be considered reasonable and coherent.  There were no criteria to assess the data protection risk. @TommyVandepitte @TommyVandepitte 11
DPCC – Outsourcing - Paper @TommyVandepitte Decision Overall, what was the data protection risk assessment of engaging this processor?  Suggestions  Look for predetermined criteria (explicitly) being used to select the processor and for criteria that may not have been predetermined, but de facto were used. . At the time of the selection The data processing operation was internally assessed as… (in case of more data processing operations, the highest)  Very high risk.  High risk.  Medium risk.  Low risk. Additional comment to this answer Outsouring the data processing operation was assessed as… (in case of more data processing operations, the highest)  Very high risk.  High risk.  Medium risk.  Low risk. Additional comment to this answer In comparison to the performing the data processing operation internally, outsouring the data processing operation was assessed as…  A higher risk.  An equal risk.  A lower risk. Additional comment to this answer In comparison to outsouring the data processing operation to any other candidate in the selection process, outsourcing it to the processor was assessed as…  A higher risk.  An equal risk.  A lower risk. Additional comment to this answer . In the context of the DPCC The risk assessments at the time seem reasonable given the information that seemed to have been available at the time of the assessment.  No.  Yes. When at the time of the decision more information should have been reasonably available should the selection procedure have taken into account reasonable information gathering on data protection, would the outcome of the risk assessments likely and reasonably have been different?  Hard to determine.  No.  Yes. * * * What was the impact of the data protection risk assessment on the final decision? . Impact in selection decision @TommyVandepitte @TommyVandepitte 12
DPCC – Outsourcing - Paper @TommyVandepitte Was there an impact of the data protection risk assessment on the decision?  No.  Yes. Were there specific items of the data protection risk that the decision explicitly wanted to avoid?  No.  Yes. If “yes”, were the necessary measures taken to avoid those risks?  No.  Yes. Additional comments: which measures? Were there specific items of the data protection risk that the decision explicitly wanted to allocate to the processor?  No.  Yes. If “yes”, were the necessary measures taken to allocate those risks to the processor (via the agreement)?  No.  Yes. Additional comments: which measures?  Representations and warrants.  Specific duties for the processor, e.g. (additional) minimum security measures, reporting duties, etc.  Specific liabilities for the processor.  Other: … Were there specific items of the data protection risk that the decision explicitly wanted to insure?  No.  Yes. If “yes”, was the insurance taken to cover that (part of the) risk?  No.  Partly.  Yes. What are the references of the insurance agreement? Insurer: xxx Reference of the insurance agreement: xxx Reference of the relevant parts of the insurance agreement: xxx Was there an explicit acceptance of the residual risks?  No.  Yes. Were the residual risk reasonably known to the decision maker(s)?  No.  Yes. @TommyVandepitte @TommyVandepitte 13
DPCC – Outsourcing - Paper @TommyVandepitte Conclusion  Data protection is a concern that was explicitly and robustly taken into account in the selection process.  Data protection is a concern that was explicitly and reasonably taken into account in the selection process.  Data protection is a concern that was explicitly taken into account in the selection process, but that could have been improved.  Data protection is a concern that was implicitly taken into account in the selection process and led to a fair selection.  Data protection is a concern that was implicitly taken into account in the selection process but that could have been improved.  Data protection was not taken into account in the selection process. Comments - @TommyVandepitte @TommyVandepitte 14
DPCC – Outsourcing - Paper @TommyVandepitte Agreement with the processor Is there a written agreement between the controller and the processor?  No.  Yes. * * * If yes, what are the constituent parts of the written agreement between the controller and the processor?  Explanation: A written agreement is not always a single document, but can be defined by different documents with all sorts of names such as general terms and conditions, framework agreement, specific agreement, schedule, service level agreement (“SLA”), statement of work, order form, minimum security requirements, controller’s or processor’s security policies,... To be able to assess the agreement, you should assemble (or have presented) and see all these parts. The consitutuant parts of the agreement between the controller and processor in scope are as follows: Title Date Document <title of the document> <date of the document> <embed document> * * * The controller that uses the services of the processor should have a written agreement with the processor, which should include the necessary provisions. Which data protection relevant provisions are included in the agreement with the processor?  Suggestions  Check with the legal department.  Check the local data protection statutes and guidance by the data protection authorities.  Check for guidance and/or templates by associations within the sector of the controller.  Note:  In case the standard contractual clauses for data transfer from controller to the processor most, if not all, necessary provisions are deemed to be present.  A difference should be made between the provisions compulsory under the applicable law (as the case may be, given the situation), the provisions needed to meet the risk standard saught by the decision on the data protection risk (see end of selection process) and additional useful provisions. @TommyVandepitte @TommyVandepitte 15
DPCC – Outsourcing - Paper @TommyVandepitte . Typical provisions Provision Compulsory? Reference in and/or quote from the agreement a description of the data processing operations in scope (data, data subject, recipients, locations, processing types, specifically described ...)  Compulsory.  Needed.  Useful. the provision that the processor can and shall only process the data on behalf of and on instructions of the controller(s), as the case may be, with the exception of superceding statutory obligations  Compulsory.  Needed.  Useful. the provision in which the processor accepts to be bound by the EU data protection legislation, its local implementation, or (in third countries) its principles  Compulsory.  Needed.  Useful. the provision that the processor is held to ensure secure and confidential processing of the data and must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing  Compulsory.  Needed.  Useful. the provision that the processor must limit the access to the data to persons with a need-to-know for the exercise of their tasks  Compulsory.  Needed.  Useful. the provision that the processor must create awareness on data protection (in general and the regulations in particular)  Compulsory.  Needed.  Useful. the minimum (level of) security and confidentiality measures to be taken by the processor, as the case may be making a risk-based distinction (e.g. per partial assignment, per type of data, ...)  Compulsory.  Needed.  Useful. provisions with regard to procedures and rules on incident management  Compulsory.  Needed.  Useful. @TommyVandepitte @TommyVandepitte 16
DPCC – Outsourcing - Paper @TommyVandepitte provisions with regard to procedures and rules on reporting and communication in case of incidents, including access requests by third parties  Compulsory.  Needed.  Useful. provisions regulating the possibility, if any, and the conditions of deployment of subprocessors  Compulsory.  Needed.  Useful. a way to get assurance of the proper implementation of the (minimum) technical and organizational measures, e.g. audit rights for the controller(s) or assurance by external auditors  Compulsory.  Needed.  Useful. provisions with regard to periodic and ad hoc reporting by the processor  Compulsory.  Needed.  Useful. provisions with regard to (other) follow-up mechanisms  Compulsory.  Needed.  Useful. provisions with regard to retention of the (personal) data during and at the end of the agreement  Compulsory.  Needed.  Useful. provisions creating an incentive for compliance with data protection or enhancing the enforcement of data protection, e.g. rewards, sanctions (data protection = material breach and uncapped liability), etc.  Compulsory.  Needed.  Useful. clear provisions on the liability of the parties with regard to issues relating to data processing operations (e.g. data leakage)  Compulsory.  Needed.  Useful. a governance framework for events and incidents such as data breaches and requests by data subjects  Compulsory.  Needed.  Useful. a provision to grant the data subject third party beneficiary rights  Compulsory. @TommyVandepitte @TommyVandepitte 17
DPCC – Outsourcing - Paper @TommyVandepitte against the processor  Needed.  Useful. Intermediary conclusion:  All typical provisions are strongly implemented in the existing agreement.  All compulsory and needed provisions are strongly implemented in the existing agreement.  All compulsory provisions are strongly implemented in the existing agreement, the needed provisions however are not.  Some minor improvements are possible to the existing agreement.  Some major improvements are possible to the existing agreement.  Some major improvements are needed to the existing agreement.  Some major improvements are urgently needed to the existing agreement.  There is no existing agreement. Conclusion  The contractual framework, as investigated, is robust.  The contractual framework, as investigated, is subject to minor improvements, namely: <…>  The contractual framework, as investigated, is subject to major improvements, namely: <…> Comments - @TommyVandepitte @TommyVandepitte 18
DPCC – Outsourcing - Paper @TommyVandepitte Follow-up of the processor The controller that uses the services of the processor should have a procedure in place to follow-up In what way is assurance acquired on the proper handling of personal and/or customer data?  Suggestions  Check the agreement for audit rights or other elements of assurance.  Check with the contact / procurement officer / relationship manager for the processor how he/they follow-up on the processor and in particular the data protection practice at the processor. . Follow-up mechanisms on an individual level (controller – processor) Mechanism Foreseen Basis Used in fact Periodicity Day-to-day cooperation with the service provider  No.  Yes.  Agreement.  Practice.  Goodwill of processor.  Other.  No.  Yes.  Monthly.  Quarterly.  Yearly.  Other. Scrutiny of deliverables, quality control  No.  Yes.  Agreement.  Practice.  Goodwill of processor.  Other.  No.  Yes.  Monthly.  Quarterly.  Yearly.  Other. Follow-up of milestones and deadlines  No.  Yes.  Agreement.  Practice.  Goodwill of processor.  Other.  No.  Yes.  Monthly.  Quarterly.  Yearly.  Other. W(h)ine and dine  No.  Yes.  Agreement.  Practice.  Goodwill of processor.  Other.  No.  Yes.  Monthly.  Quarterly.  Yearly.  Other. Periodic (formal) follow-up meetings, one-on-1  No.  Agreement.  No.  Monthly.  Quarterly. @TommyVandepitte @TommyVandepitte 19
DPCC – Outsourcing - Paper @TommyVandepitte  Yes.  Practice.  Goodwill of processor.  Other.  Yes.  Yearly.  Other. Periodic (formal) follow-up meetings, joint with other customers of the processor  No.  Yes.  Agreement.  Practice.  Goodwill of processor.  Other.  No.  Yes.  Monthly.  Quarterly.  Yearly.  Other. Escalation procedure  No.  Yes.  Agreement.  Practice.  Goodwill of processor.  Other.  No.  Yes.  Monthly.  Quarterly.  Yearly.  Other. Service Level (exception) reporting by the processor  No.  Yes.  Agreement.  Practice.  Goodwill of processor.  Other.  No.  Yes.  Monthly.  Quarterly.  Yearly.  Other. Questionnaires to be answered by the processor  No.  Yes.  Agreement.  Practice.  Goodwill of processor.  Other.  No.  Yes.  Monthly.  Quarterly.  Yearly.  Other. Assurance delivered by the internal audit of the processor (free format)  No.  Yes.  Agreement.  Practice.  Goodwill of processor.  Other.  No.  Yes.  Monthly.  Quarterly.  Yearly.  Other. Assurance delivered by an external, independent auditor appointed by the processor (free format)  No.  Yes.  Agreement.  Practice.  Goodwill of processor.  Other.  No.  Yes.  Monthly.  Quarterly.  Yearly.  Other. Assurance delivered by the internal audit of the processor (template of the controller)  No.  Yes.  Agreement.  Practice.  No.  Yes.  Monthly.  Quarterly. @TommyVandepitte @TommyVandepitte 20
DPCC – Outsourcing - Paper @TommyVandepitte  Goodwill of processor.  Other.  Yearly.  Other. Assurance delivered by an external, independent auditor appointed by the processor (template of the controller)  No.  Yes.  Agreement.  Practice.  Goodwill of processor.  Other.  No.  Yes.  Monthly.  Quarterly.  Yearly.  Other. KPI measurement and reporting thereon by controller  No.  Yes.  Agreement.  Practice.  Goodwill of processor.  Other.  No.  Yes.  Monthly.  Quarterly.  Yearly.  Other. Audit on the premises by controller’s audit team  No.  Yes.  Agreement.  Practice.  Goodwill of processor.  Other.  No.  Yes.  Monthly.  Quarterly.  Yearly.  Other. Follow-up of and reaction to incidents at the processor  No.  Yes.  Agreement.  Practice.  Goodwill of processor.  Other.  No.  Yes.  Monthly.  Quarterly.  Yearly.  Other. Control on the budget for the services, including invoice control  No.  Yes.  Agreement.  Practice.  Goodwill of processor.  Other.  No.  Yes.  Monthly.  Quarterly.  Yearly.  Other. Follow-up of the financial situation of the service provider based on public information  No.  Yes.  Agreement.  Practice.  Goodwill of processor.  Other.  No.  Yes.  Monthly.  Quarterly.  Yearly.  Other. Follow-up of the financial situation of the service provider based on non-public information  No.  Yes.  Agreement.  Practice.  No.  Yes.  Monthly.  Quarterly. @TommyVandepitte @TommyVandepitte 21
DPCC – Outsourcing - Paper @TommyVandepitte  Goodwill of processor.  Other.  Yearly.  Other. . Follow-up mechanisms on a multilateral level (processor to multiple controllers, including the controller in scope) Service Level (exception) reporting  No.  Yes.  Agreement.  Practice.  Goodwill of processor.  Other.  No.  Yes.  Monthly.  Quarterly.  Yearly.  Other. KPI measurement and (issue) reporting thereon  No.  Yes.  Agreement.  Practice.  Goodwill of processor.  Other.  No.  Yes.  Monthly.  Quarterly.  Yearly.  Other. Control on the overall budget  No.  Yes.  Agreement.  Practice.  Goodwill of processor.  Other.  No.  Yes.  Monthly.  Quarterly.  Yearly.  Other. . Follow-up mechanisms on an group governance level (in case the processor is a member of the group of the controller) Information Security reporting on the processes as such  No.  Yes.  Agreement.  Practice.  Goodwill of processor.  Other.  No.  Yes.  Monthly.  Quarterly.  Yearly.  Other. Audit assurance on the processes as such  No.  Yes.  Agreement.  Practice.  Goodwill of processor.  Other.  No.  Yes.  Monthly.  Quarterly.  Yearly.  Other. Statistical analysis of the operations (e.g. throughput time, access to tools, etc.)  No.  Agreement.  No.  Monthly. @TommyVandepitte @TommyVandepitte 22
DPCC – Outsourcing - Paper @TommyVandepitte  Yes.  Practice.  Goodwill of processor.  Other.  Yes.  Quarterly.  Yearly.  Other. Is it clear who has to follow-up the processor?  No.  Yes for all follow-up mechanisms.  Yes for some follow-up mechanisms. Not for the following <…> * * * Is it clear how the assurance or lack thereof has to be handled? Is it clear what has to be done in case of the absence of assurance or the reception of a notification indicating a security incident?  No.  Yes for all follow-up mechanisms.  Yes for some follow-up mechanisms. Not for the following <…> Conclusion  Follow-up of the processor is robust.  Follow-up of the processor is subject to minor improvements.  Follow-up of the processor is subject to major improvements. Comments - @TommyVandepitte @TommyVandepitte 23
DPCC – Outsourcing - Paper @TommyVandepitte References  Suggestions: Keep these lists in a spreadsheet and insert/embed the final spreadsheets in this annex.  Note: The prefilled fields are just examples of content in these reference document. Modification to internal procedures and factual situation is needed. Activity Log Date Activity Status Who? Remark Intake interview with xxx Interview with xxx Questionnaire xxx sent out to xxx Response to questionnaire xxx received from xxx Process diagram xxx received from xxx Walkthrough process xxx Document request for xxx Document xxx received from Draft report sent to xxx Feedback interview with xxx Final report Final report sent out @TommyVandepitte @TommyVandepitte 24
DPCC – Outsourcing - Paper @TommyVandepitte Documentation received Category Document Date request Date receipt Source Selection RFI Selection Responses of the processor (winning candidate) to the RFI Selection RFP Selection Responses of the processor (winning candidate) to the RFP Selection BOFA of the processor (winning candidate) Selection Memo for the decision taker(s) Selection Certificates relevant for data protection of the processor provided in the selection process Selection SOC 1 audit assurance dated xxx Selection SOC 2 audit assurance dated xxx Agreement Agreement(s) with processor (incl. annexes, schedules and appendices) Agreement Amendment(s) to the agreement with the processor Follow-up SOC 1 audit assurance dated xxx Follow-up SOC 2 audit assurance dated xxx Follow-up Periodic checkup report by outsourcing manager (controller side) dated xxx Follow-up List of issues with the processor, whether or not escalated dated xxx Follow-up Periodic reporting by processor dated xxx @TommyVandepitte @TommyVandepitte 25
DPCC – Outsourcing - Paper @TommyVandepitte Interviews & Questionnaires Category What? Document Date Source Selection Questions for procurement department Selection Questionnaire completed by procurement department Selection Report interview with procurement department Agreement Questions for the lead negotiator of the agreement Agreement Questionnaire completed by lead negotiator of the agreement Agreement Report interview with lead negotiator of the agreement Follow-up Questions for procurement department Follow-up Questionnaire completed by procurement department Follow-up Report interview with procurement department Follow-up Questions for department accountable for the outsourced data processing operation Follow-up Questionnaire completed by procu department accountable for the outsourced data processing operation Follow-up Report interview with department accountable for the outsourced data processing operation @TommyVandepitte @TommyVandepitte 26

Recommandé

Verbintenissenrecht - 10.Ondeelbaarheid
Verbintenissenrecht - 10.OndeelbaarheidVerbintenissenrecht - 10.Ondeelbaarheid
Verbintenissenrecht - 10.OndeelbaarheidTommy Vandepitte
 
201410 Belgisch federaal regeerakkoord - data protection
201410 Belgisch federaal regeerakkoord - data protection201410 Belgisch federaal regeerakkoord - data protection
201410 Belgisch federaal regeerakkoord - data protectionTommy Vandepitte
 
Cybersecurity & Data Protection: Thinking About Risk & Compliance
Cybersecurity & Data Protection: Thinking About Risk & ComplianceCybersecurity & Data Protection: Thinking About Risk & Compliance
Cybersecurity & Data Protection: Thinking About Risk & ComplianceShawn Tuma
 
DATA PROTECTION & BREACH READINESS GUIDE 2014
DATA PROTECTION & BREACH READINESS GUIDE 2014DATA PROTECTION & BREACH READINESS GUIDE 2014
DATA PROTECTION & BREACH READINESS GUIDE 2014- Mark - Fullbright
 
Verbintenissenrecht - 02.Rechtssubjecten
Verbintenissenrecht - 02.RechtssubjectenVerbintenissenrecht - 02.Rechtssubjecten
Verbintenissenrecht - 02.RechtssubjectenTommy Vandepitte
 
Verbintenissenrecht - 10.Hoofdelijkheid
Verbintenissenrecht - 10.HoofdelijkheidVerbintenissenrecht - 10.Hoofdelijkheid
Verbintenissenrecht - 10.HoofdelijkheidTommy Vandepitte
 
Verbintenissenrecht - 10.Deelbaarheid
Verbintenissenrecht - 10.DeelbaarheidVerbintenissenrecht - 10.Deelbaarheid
Verbintenissenrecht - 10.DeelbaarheidTommy Vandepitte
 
Verbintenissenrecht - 10.In solidum
Verbintenissenrecht - 10.In solidumVerbintenissenrecht - 10.In solidum
Verbintenissenrecht - 10.In solidumTommy Vandepitte
 

Recommandé

Verbintenissenrecht - 10.Ondeelbaarheid
Verbintenissenrecht - 10.OndeelbaarheidVerbintenissenrecht - 10.Ondeelbaarheid
Verbintenissenrecht - 10.OndeelbaarheidTommy Vandepitte
 
201410 Belgisch federaal regeerakkoord - data protection
201410 Belgisch federaal regeerakkoord - data protection201410 Belgisch federaal regeerakkoord - data protection
201410 Belgisch federaal regeerakkoord - data protectionTommy Vandepitte
 
Cybersecurity & Data Protection: Thinking About Risk & Compliance
Cybersecurity & Data Protection: Thinking About Risk & ComplianceCybersecurity & Data Protection: Thinking About Risk & Compliance
Cybersecurity & Data Protection: Thinking About Risk & ComplianceShawn Tuma
 
DATA PROTECTION & BREACH READINESS GUIDE 2014
DATA PROTECTION & BREACH READINESS GUIDE 2014DATA PROTECTION & BREACH READINESS GUIDE 2014
DATA PROTECTION & BREACH READINESS GUIDE 2014- Mark - Fullbright
 
Verbintenissenrecht - 02.Rechtssubjecten
Verbintenissenrecht - 02.RechtssubjectenVerbintenissenrecht - 02.Rechtssubjecten
Verbintenissenrecht - 02.RechtssubjectenTommy Vandepitte
 
Verbintenissenrecht - 10.Hoofdelijkheid
Verbintenissenrecht - 10.HoofdelijkheidVerbintenissenrecht - 10.Hoofdelijkheid
Verbintenissenrecht - 10.HoofdelijkheidTommy Vandepitte
 
Verbintenissenrecht - 10.Deelbaarheid
Verbintenissenrecht - 10.DeelbaarheidVerbintenissenrecht - 10.Deelbaarheid
Verbintenissenrecht - 10.DeelbaarheidTommy Vandepitte
 
Verbintenissenrecht - 10.In solidum
Verbintenissenrecht - 10.In solidumVerbintenissenrecht - 10.In solidum
Verbintenissenrecht - 10.In solidumTommy Vandepitte
 
Sample audit plan
Sample audit planSample audit plan
Sample audit planMaher Manan
 
FedRAMP concept-of-operations-conops
FedRAMP concept-of-operations-conopsFedRAMP concept-of-operations-conops
FedRAMP concept-of-operations-conopsGovCloud Network
 
Running Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docx
Running Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docxRunning Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docx
Running Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docxjeffsrosalyn
 
CAAT - Data Analysis and Audit Techniques
CAAT - Data Analysis and Audit TechniquesCAAT - Data Analysis and Audit Techniques
CAAT - Data Analysis and Audit TechniquesSaurabh Rai
 
Data Protection & GDPR Health Check Service Overview
Data Protection & GDPR Health Check Service OverviewData Protection & GDPR Health Check Service Overview
Data Protection & GDPR Health Check Service OverviewDVV Solutions Third Party Risk Management
 
Regulatory operations at PLG
Regulatory operations at PLGRegulatory operations at PLG
Regulatory operations at PLGAlison Fautré
 
advanced project management mod 5
advanced project management mod 5advanced project management mod 5
advanced project management mod 5POOJA UDAYAN
 
CMMC case study: Inside a CMMC assessment
CMMC case study: Inside a CMMC assessmentCMMC case study: Inside a CMMC assessment
CMMC case study: Inside a CMMC assessmentInfosec
 
What are data flow diagrams
What are data flow diagramsWhat are data flow diagrams
What are data flow diagramsAli Daniyal
 
DEFINITIONS PxI MatrixProbability and Impact Ranking Impact Descri.docx
DEFINITIONS PxI MatrixProbability and Impact Ranking Impact Descri.docxDEFINITIONS PxI MatrixProbability and Impact Ranking Impact Descri.docx
DEFINITIONS PxI MatrixProbability and Impact Ranking Impact Descri.docxvickeryr87
 
PMC_CHAPTER 3_ PPC.pptx
PMC_CHAPTER 3_ PPC.pptxPMC_CHAPTER 3_ PPC.pptx
PMC_CHAPTER 3_ PPC.pptxyeshuniju2007
 
Data management plan (important components and best practices) final v 1.0
Data management plan (important components and best practices) final v 1.0Data management plan (important components and best practices) final v 1.0
Data management plan (important components and best practices) final v 1.0Amiit Keshav Naik
 
Sdlc1
Sdlc1Sdlc1
Sdlc1Jithin Kottikkal
 
Rules of Behavior
Rules of BehaviorRules of Behavior
Rules of BehaviorGovCloud Network
 
CH6 6.1 PROCESS THINKING Process thinking is the point o.docx
CH6 6.1 PROCESS THINKING Process thinking is the point o.docxCH6 6.1 PROCESS THINKING Process thinking is the point o.docx
CH6 6.1 PROCESS THINKING Process thinking is the point o.docxsleeperharwell
 
Running Head PROJECT PLAN-BUSINESS REQUIREMENT DOCUMENT .docx
Running Head PROJECT PLAN-BUSINESS REQUIREMENT DOCUMENT .docxRunning Head PROJECT PLAN-BUSINESS REQUIREMENT DOCUMENT .docx
Running Head PROJECT PLAN-BUSINESS REQUIREMENT DOCUMENT .docxjeanettehully
 
PROCESS IMPOVEMENT PLAN
PROCESS IMPOVEMENT PLAN PROCESS IMPOVEMENT PLAN
PROCESS IMPOVEMENT PLAN DaliaCulbertson719
 
IT 552 Module Five Assignment Rubric The purpose of t.docx
IT 552 Module Five Assignment Rubric The purpose of t.docxIT 552 Module Five Assignment Rubric The purpose of t.docx
IT 552 Module Five Assignment Rubric The purpose of t.docxchristiandean12115
 
To meet the requirements for lab 10 you were to perform Part 1, S
To meet the requirements for lab 10 you were to perform Part 1, STo meet the requirements for lab 10 you were to perform Part 1, S
To meet the requirements for lab 10 you were to perform Part 1, STakishaPeck109
 
Small projectlifecycleplantemplatev
Small projectlifecycleplantemplatevSmall projectlifecycleplantemplatev
Small projectlifecycleplantemplatevaftabsaeedi
 
DPIA template
DPIA templateDPIA template
DPIA templateTommy Vandepitte
 
Gegevensbescherming-clausule in (overheids)opdracht
Gegevensbescherming-clausule in (overheids)opdrachtGegevensbescherming-clausule in (overheids)opdracht
Gegevensbescherming-clausule in (overheids)opdrachtTommy Vandepitte
 

Contenu connexe

Similaire à Data Protection Compliance Check - Outsourcing - Part 2 "Paper" (C2P relationship)

Sample audit plan
Sample audit planSample audit plan
Sample audit planMaher Manan
 
FedRAMP concept-of-operations-conops
FedRAMP concept-of-operations-conopsFedRAMP concept-of-operations-conops
FedRAMP concept-of-operations-conopsGovCloud Network
 
Running Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docx
Running Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docxRunning Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docx
Running Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docxjeffsrosalyn
 
CAAT - Data Analysis and Audit Techniques
CAAT - Data Analysis and Audit TechniquesCAAT - Data Analysis and Audit Techniques
CAAT - Data Analysis and Audit TechniquesSaurabh Rai
 
Regulatory operations at PLG
Regulatory operations at PLGRegulatory operations at PLG
Regulatory operations at PLGAlison Fautré
 
advanced project management mod 5
advanced project management mod 5advanced project management mod 5
advanced project management mod 5POOJA UDAYAN
 
CMMC case study: Inside a CMMC assessment
CMMC case study: Inside a CMMC assessmentCMMC case study: Inside a CMMC assessment
CMMC case study: Inside a CMMC assessmentInfosec
 
What are data flow diagrams
What are data flow diagramsWhat are data flow diagrams
What are data flow diagramsAli Daniyal
 
DEFINITIONS PxI MatrixProbability and Impact Ranking Impact Descri.docx
DEFINITIONS PxI MatrixProbability and Impact Ranking Impact Descri.docxDEFINITIONS PxI MatrixProbability and Impact Ranking Impact Descri.docx
DEFINITIONS PxI MatrixProbability and Impact Ranking Impact Descri.docxvickeryr87
 
PMC_CHAPTER 3_ PPC.pptx
PMC_CHAPTER 3_ PPC.pptxPMC_CHAPTER 3_ PPC.pptx
PMC_CHAPTER 3_ PPC.pptxyeshuniju2007
 
Data management plan (important components and best practices) final v 1.0
Data management plan (important components and best practices) final v 1.0Data management plan (important components and best practices) final v 1.0
Data management plan (important components and best practices) final v 1.0Amiit Keshav Naik
 
CH6 6.1 PROCESS THINKING Process thinking is the point o.docx
CH6 6.1 PROCESS THINKING Process thinking is the point o.docxCH6 6.1 PROCESS THINKING Process thinking is the point o.docx
CH6 6.1 PROCESS THINKING Process thinking is the point o.docxsleeperharwell
 
Running Head PROJECT PLAN-BUSINESS REQUIREMENT DOCUMENT .docx
Running Head PROJECT PLAN-BUSINESS REQUIREMENT DOCUMENT .docxRunning Head PROJECT PLAN-BUSINESS REQUIREMENT DOCUMENT .docx
Running Head PROJECT PLAN-BUSINESS REQUIREMENT DOCUMENT .docxjeanettehully
 
IT 552 Module Five Assignment Rubric The purpose of t.docx
IT 552 Module Five Assignment Rubric The purpose of t.docxIT 552 Module Five Assignment Rubric The purpose of t.docx
IT 552 Module Five Assignment Rubric The purpose of t.docxchristiandean12115
 
To meet the requirements for lab 10 you were to perform Part 1, S
To meet the requirements for lab 10 you were to perform Part 1, STo meet the requirements for lab 10 you were to perform Part 1, S
To meet the requirements for lab 10 you were to perform Part 1, STakishaPeck109
 
Small projectlifecycleplantemplatev
Small projectlifecycleplantemplatevSmall projectlifecycleplantemplatev
Small projectlifecycleplantemplatevaftabsaeedi
 

Similaire à Data Protection Compliance Check - Outsourcing - Part 2 "Paper" (C2P relationship) (20)

Sample audit plan
Sample audit planSample audit plan
Sample audit plan
 
FedRAMP concept-of-operations-conops
FedRAMP concept-of-operations-conopsFedRAMP concept-of-operations-conops
FedRAMP concept-of-operations-conops
 
Running Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docx
Running Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docxRunning Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docx
Running Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docx
 
CAAT - Data Analysis and Audit Techniques
CAAT - Data Analysis and Audit TechniquesCAAT - Data Analysis and Audit Techniques
CAAT - Data Analysis and Audit Techniques
 
Data Protection & GDPR Health Check Service Overview
Data Protection & GDPR Health Check Service OverviewData Protection & GDPR Health Check Service Overview
Data Protection & GDPR Health Check Service Overview
 
Regulatory operations at PLG
Regulatory operations at PLGRegulatory operations at PLG
Regulatory operations at PLG
 
advanced project management mod 5
advanced project management mod 5advanced project management mod 5
advanced project management mod 5
 
CMMC case study: Inside a CMMC assessment
CMMC case study: Inside a CMMC assessmentCMMC case study: Inside a CMMC assessment
CMMC case study: Inside a CMMC assessment
 
What are data flow diagrams
What are data flow diagramsWhat are data flow diagrams
What are data flow diagrams
 
DEFINITIONS PxI MatrixProbability and Impact Ranking Impact Descri.docx
DEFINITIONS PxI MatrixProbability and Impact Ranking Impact Descri.docxDEFINITIONS PxI MatrixProbability and Impact Ranking Impact Descri.docx
DEFINITIONS PxI MatrixProbability and Impact Ranking Impact Descri.docx
 
PMC_CHAPTER 3_ PPC.pptx
PMC_CHAPTER 3_ PPC.pptxPMC_CHAPTER 3_ PPC.pptx
PMC_CHAPTER 3_ PPC.pptx
 
Data management plan (important components and best practices) final v 1.0
Data management plan (important components and best practices) final v 1.0Data management plan (important components and best practices) final v 1.0
Data management plan (important components and best practices) final v 1.0
 
Sdlc1
Sdlc1Sdlc1
Sdlc1
 
Rules of Behavior
Rules of BehaviorRules of Behavior
Rules of Behavior
 
CH6 6.1 PROCESS THINKING Process thinking is the point o.docx
CH6 6.1 PROCESS THINKING Process thinking is the point o.docxCH6 6.1 PROCESS THINKING Process thinking is the point o.docx
CH6 6.1 PROCESS THINKING Process thinking is the point o.docx
 
Running Head PROJECT PLAN-BUSINESS REQUIREMENT DOCUMENT .docx
Running Head PROJECT PLAN-BUSINESS REQUIREMENT DOCUMENT .docxRunning Head PROJECT PLAN-BUSINESS REQUIREMENT DOCUMENT .docx
Running Head PROJECT PLAN-BUSINESS REQUIREMENT DOCUMENT .docx
 
PROCESS IMPOVEMENT PLAN
PROCESS IMPOVEMENT PLAN PROCESS IMPOVEMENT PLAN
PROCESS IMPOVEMENT PLAN
 
IT 552 Module Five Assignment Rubric The purpose of t.docx
IT 552 Module Five Assignment Rubric The purpose of t.docxIT 552 Module Five Assignment Rubric The purpose of t.docx
IT 552 Module Five Assignment Rubric The purpose of t.docx
 
To meet the requirements for lab 10 you were to perform Part 1, S
To meet the requirements for lab 10 you were to perform Part 1, STo meet the requirements for lab 10 you were to perform Part 1, S
To meet the requirements for lab 10 you were to perform Part 1, S
 
Small projectlifecycleplantemplatev
Small projectlifecycleplantemplatevSmall projectlifecycleplantemplatev
Small projectlifecycleplantemplatev
 

Plus de Tommy Vandepitte

Gegevensbescherming-clausule in (overheids)opdracht
Gegevensbescherming-clausule in (overheids)opdrachtGegevensbescherming-clausule in (overheids)opdracht
Gegevensbescherming-clausule in (overheids)opdrachtTommy Vandepitte
 
20190131 - Presentation Q&A on legislation's influence (on travel management)
20190131 - Presentation Q&A on legislation's influence (on travel management)20190131 - Presentation Q&A on legislation's influence (on travel management)
20190131 - Presentation Q&A on legislation's influence (on travel management)Tommy Vandepitte
 
GDPR toegepast op huur-verhuur (Dutch)
GDPR toegepast op huur-verhuur (Dutch)GDPR toegepast op huur-verhuur (Dutch)
GDPR toegepast op huur-verhuur (Dutch)Tommy Vandepitte
 
Controller-to-processor agreements
Controller-to-processor agreementsController-to-processor agreements
Controller-to-processor agreementsTommy Vandepitte
 
Gegevensbescherming makelaars
Gegevensbescherming makelaarsGegevensbescherming makelaars
Gegevensbescherming makelaarsTommy Vandepitte
 
EEAS - Cultivate your data protection
EEAS - Cultivate your data protectionEEAS - Cultivate your data protection
EEAS - Cultivate your data protectionTommy Vandepitte
 
Presentation for the LSEC GDPR event - 20171130
Presentation for the LSEC GDPR event - 20171130Presentation for the LSEC GDPR event - 20171130
Presentation for the LSEC GDPR event - 20171130Tommy Vandepitte
 
Training privacy by design
Training privacy by designTraining privacy by design
Training privacy by designTommy Vandepitte
 
GDPR voor steden en gemeenten (Dutch)
GDPR voor steden en gemeenten (Dutch)GDPR voor steden en gemeenten (Dutch)
GDPR voor steden en gemeenten (Dutch)Tommy Vandepitte
 
GDPR project board deck (example)
GDPR project board deck (example)GDPR project board deck (example)
GDPR project board deck (example)Tommy Vandepitte
 
IS/DPP for staff #8 - Monitoring
IS/DPP for staff #8 - MonitoringIS/DPP for staff #8 - Monitoring
IS/DPP for staff #8 - MonitoringTommy Vandepitte
 
IS/DPP for staff #7 - Incidents
IS/DPP for staff #7 - IncidentsIS/DPP for staff #7 - Incidents
IS/DPP for staff #7 - IncidentsTommy Vandepitte
 
IS/DPP for staff #6 - Acceptable use
IS/DPP for staff #6 - Acceptable useIS/DPP for staff #6 - Acceptable use
IS/DPP for staff #6 - Acceptable useTommy Vandepitte
 
IS/DPP for staff #5b - Passwords
IS/DPP for staff #5b - PasswordsIS/DPP for staff #5b - Passwords
IS/DPP for staff #5b - PasswordsTommy Vandepitte
 
IS/DPP for staff #5a - Access
IS/DPP for staff #5a - AccessIS/DPP for staff #5a - Access
IS/DPP for staff #5a - AccessTommy Vandepitte
 
IS/DPP for staff #3b - Data Classification
IS/DPP for staff #3b - Data ClassificationIS/DPP for staff #3b - Data Classification
IS/DPP for staff #3b - Data ClassificationTommy Vandepitte
 
IS/DPP for staff #3a - Data
IS/DPP for staff #3a - DataIS/DPP for staff #3a - Data
IS/DPP for staff #3a - DataTommy Vandepitte
 
IS/DPP for staff #2 - Why?
IS/DPP for staff #2 - Why?IS/DPP for staff #2 - Why?
IS/DPP for staff #2 - Why?Tommy Vandepitte
 
IS/DPP for staff #1 - intro
IS/DPP for staff #1 - introIS/DPP for staff #1 - intro
IS/DPP for staff #1 - introTommy Vandepitte
 

Plus de Tommy Vandepitte (20)

DPIA template
DPIA templateDPIA template
DPIA template
 
Gegevensbescherming-clausule in (overheids)opdracht
Gegevensbescherming-clausule in (overheids)opdrachtGegevensbescherming-clausule in (overheids)opdracht
Gegevensbescherming-clausule in (overheids)opdracht
 
20190131 - Presentation Q&A on legislation's influence (on travel management)
20190131 - Presentation Q&A on legislation's influence (on travel management)20190131 - Presentation Q&A on legislation's influence (on travel management)
20190131 - Presentation Q&A on legislation's influence (on travel management)
 
GDPR toegepast op huur-verhuur (Dutch)
GDPR toegepast op huur-verhuur (Dutch)GDPR toegepast op huur-verhuur (Dutch)
GDPR toegepast op huur-verhuur (Dutch)
 
Controller-to-processor agreements
Controller-to-processor agreementsController-to-processor agreements
Controller-to-processor agreements
 
Gegevensbescherming makelaars
Gegevensbescherming makelaarsGegevensbescherming makelaars
Gegevensbescherming makelaars
 
EEAS - Cultivate your data protection
EEAS - Cultivate your data protectionEEAS - Cultivate your data protection
EEAS - Cultivate your data protection
 
Presentation for the LSEC GDPR event - 20171130
Presentation for the LSEC GDPR event - 20171130Presentation for the LSEC GDPR event - 20171130
Presentation for the LSEC GDPR event - 20171130
 
Training privacy by design
Training privacy by designTraining privacy by design
Training privacy by design
 
GDPR voor steden en gemeenten (Dutch)
GDPR voor steden en gemeenten (Dutch)GDPR voor steden en gemeenten (Dutch)
GDPR voor steden en gemeenten (Dutch)
 
GDPR project board deck (example)
GDPR project board deck (example)GDPR project board deck (example)
GDPR project board deck (example)
 
IS/DPP for staff #8 - Monitoring
IS/DPP for staff #8 - MonitoringIS/DPP for staff #8 - Monitoring
IS/DPP for staff #8 - Monitoring
 
IS/DPP for staff #7 - Incidents
IS/DPP for staff #7 - IncidentsIS/DPP for staff #7 - Incidents
IS/DPP for staff #7 - Incidents
 
IS/DPP for staff #6 - Acceptable use
IS/DPP for staff #6 - Acceptable useIS/DPP for staff #6 - Acceptable use
IS/DPP for staff #6 - Acceptable use
 
IS/DPP for staff #5b - Passwords
IS/DPP for staff #5b - PasswordsIS/DPP for staff #5b - Passwords
IS/DPP for staff #5b - Passwords
 
IS/DPP for staff #5a - Access
IS/DPP for staff #5a - AccessIS/DPP for staff #5a - Access
IS/DPP for staff #5a - Access
 
IS/DPP for staff #3b - Data Classification
IS/DPP for staff #3b - Data ClassificationIS/DPP for staff #3b - Data Classification
IS/DPP for staff #3b - Data Classification
 
IS/DPP for staff #3a - Data
IS/DPP for staff #3a - DataIS/DPP for staff #3a - Data
IS/DPP for staff #3a - Data
 
IS/DPP for staff #2 - Why?
IS/DPP for staff #2 - Why?IS/DPP for staff #2 - Why?
IS/DPP for staff #2 - Why?
 
IS/DPP for staff #1 - intro
IS/DPP for staff #1 - introIS/DPP for staff #1 - intro
IS/DPP for staff #1 - intro
 

Dernier

一比一原版(Warwick毕业证书)华威大学毕业证如何办理
一比一原版(Warwick毕业证书)华威大学毕业证如何办理一比一原版(Warwick毕业证书)华威大学毕业证如何办理
一比一原版(Warwick毕业证书)华威大学毕业证如何办理Fir La
 
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理e9733fc35af6
 
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理Airst S
 
ARTICLE 370 PDF about the indian constitution.
ARTICLE 370 PDF about the indian constitution.ARTICLE 370 PDF about the indian constitution.
ARTICLE 370 PDF about the indian constitution.tanughoshal0
 
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理bd2c5966a56d
 
Human Rights_FilippoLuciani diritti umani.pptx
Human Rights_FilippoLuciani diritti umani.pptxHuman Rights_FilippoLuciani diritti umani.pptx
Human Rights_FilippoLuciani diritti umani.pptxfilippoluciani9
 
Reason Behind the Success of Law Firms in India
Reason Behind the Success of Law Firms in IndiaReason Behind the Success of Law Firms in India
Reason Behind the Success of Law Firms in IndiaYash
 
一比一原版(USC毕业证书)南加州大学毕业证学位证书
一比一原版(USC毕业证书)南加州大学毕业证学位证书一比一原版(USC毕业证书)南加州大学毕业证学位证书
一比一原版(USC毕业证书)南加州大学毕业证学位证书irst
 
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理Airst S
 
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理F La
 
一比一原版曼彻斯特城市大学毕业证如何办理
一比一原版曼彻斯特城市大学毕业证如何办理一比一原版曼彻斯特城市大学毕业证如何办理
一比一原版曼彻斯特城市大学毕业证如何办理Airst S
 
A SHORT HISTORY OF LIBERTY'S PROGREE THROUGH HE EIGHTEENTH CENTURY
A SHORT HISTORY OF LIBERTY'S PROGREE THROUGH HE EIGHTEENTH CENTURYA SHORT HISTORY OF LIBERTY'S PROGREE THROUGH HE EIGHTEENTH CENTURY
A SHORT HISTORY OF LIBERTY'S PROGREE THROUGH HE EIGHTEENTH CENTURYJulian Scutts
 
Hely-Hutchinson v. Brayhead Ltd .pdf
Hely-Hutchinson v. Brayhead Ltd .pdfHely-Hutchinson v. Brayhead Ltd .pdf
Hely-Hutchinson v. Brayhead Ltd .pdfBritto Valan
 
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理ss
 
Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...
Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...
Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...Sangyun Lee
 
一比一原版(IC毕业证书)帝国理工学院毕业证如何办理
一比一原版(IC毕业证书)帝国理工学院毕业证如何办理一比一原版(IC毕业证书)帝国理工学院毕业证如何办理
一比一原版(IC毕业证书)帝国理工学院毕业证如何办理Fir La
 
589308994-interpretation-of-statutes-notes-law-college.pdf
589308994-interpretation-of-statutes-notes-law-college.pdf589308994-interpretation-of-statutes-notes-law-college.pdf
589308994-interpretation-of-statutes-notes-law-college.pdfSUSHMITAPOTHAL
 
Cyber Laws : National and International Perspective.
Cyber Laws : National and International Perspective.Cyber Laws : National and International Perspective.
Cyber Laws : National and International Perspective.Nilendra Kumar
 
Understanding the Role of Labor Unions and Collective Bargaining
Understanding the Role of Labor Unions and Collective BargainingUnderstanding the Role of Labor Unions and Collective Bargaining
Understanding the Role of Labor Unions and Collective Bargainingbartzlawgroup1
 
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation StrategySmarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation StrategyJong Hyuk Choi
 

Dernier (20)

一比一原版(Warwick毕业证书)华威大学毕业证如何办理
一比一原版(Warwick毕业证书)华威大学毕业证如何办理一比一原版(Warwick毕业证书)华威大学毕业证如何办理
一比一原版(Warwick毕业证书)华威大学毕业证如何办理
 
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
 
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
一比一原版(ECU毕业证书)埃迪斯科文大学毕业证如何办理
 
ARTICLE 370 PDF about the indian constitution.
ARTICLE 370 PDF about the indian constitution.ARTICLE 370 PDF about the indian constitution.
ARTICLE 370 PDF about the indian constitution.
 
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
 
Human Rights_FilippoLuciani diritti umani.pptx
Human Rights_FilippoLuciani diritti umani.pptxHuman Rights_FilippoLuciani diritti umani.pptx
Human Rights_FilippoLuciani diritti umani.pptx
 
Reason Behind the Success of Law Firms in India
Reason Behind the Success of Law Firms in IndiaReason Behind the Success of Law Firms in India
Reason Behind the Success of Law Firms in India
 
一比一原版(USC毕业证书)南加州大学毕业证学位证书
一比一原版(USC毕业证书)南加州大学毕业证学位证书一比一原版(USC毕业证书)南加州大学毕业证学位证书
一比一原版(USC毕业证书)南加州大学毕业证学位证书
 
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
 
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
一比一原版(Monash毕业证书)澳洲莫纳什大学毕业证如何办理
 
一比一原版曼彻斯特城市大学毕业证如何办理
一比一原版曼彻斯特城市大学毕业证如何办理一比一原版曼彻斯特城市大学毕业证如何办理
一比一原版曼彻斯特城市大学毕业证如何办理
 
A SHORT HISTORY OF LIBERTY'S PROGREE THROUGH HE EIGHTEENTH CENTURY
A SHORT HISTORY OF LIBERTY'S PROGREE THROUGH HE EIGHTEENTH CENTURYA SHORT HISTORY OF LIBERTY'S PROGREE THROUGH HE EIGHTEENTH CENTURY
A SHORT HISTORY OF LIBERTY'S PROGREE THROUGH HE EIGHTEENTH CENTURY
 
Hely-Hutchinson v. Brayhead Ltd .pdf
Hely-Hutchinson v. Brayhead Ltd .pdfHely-Hutchinson v. Brayhead Ltd .pdf
Hely-Hutchinson v. Brayhead Ltd .pdf
 
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
 
Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...
Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...
Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...
 
一比一原版(IC毕业证书)帝国理工学院毕业证如何办理
一比一原版(IC毕业证书)帝国理工学院毕业证如何办理一比一原版(IC毕业证书)帝国理工学院毕业证如何办理
一比一原版(IC毕业证书)帝国理工学院毕业证如何办理
 
589308994-interpretation-of-statutes-notes-law-college.pdf
589308994-interpretation-of-statutes-notes-law-college.pdf589308994-interpretation-of-statutes-notes-law-college.pdf
589308994-interpretation-of-statutes-notes-law-college.pdf
 
Cyber Laws : National and International Perspective.
Cyber Laws : National and International Perspective.Cyber Laws : National and International Perspective.
Cyber Laws : National and International Perspective.
 
Understanding the Role of Labor Unions and Collective Bargaining
Understanding the Role of Labor Unions and Collective BargainingUnderstanding the Role of Labor Unions and Collective Bargaining
Understanding the Role of Labor Unions and Collective Bargaining
 
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation StrategySmarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
 

Data Protection Compliance Check - Outsourcing - Part 2 "Paper" (C2P relationship)

  • 1. DPCC – Outsourcing - Paper @TommyVandepitte DATA PROTECTION COMPLIANCE CHECK OUTSOURCING FOCUS ON RELATIONSHIP C-P Summary Explanation of this Document Outsourcing data processing operations entails specific risks and requirements under the law and under sound risk management. Therefore a set of three templates is developed to look at outsourcing of data processing operations: (1) the (internal) organisation of the controller including policies and procedures, (2) the relationship between the controller and the processor, mainly via the agreement and (3) the (internal) organisation of the processor. This template aims to give guidance to a check on a specific relationship between a controller and a processor, thus limiting the scope. The DPCC contains checklists. They aim to provide some guidance in the check. However, be aware that some (parts of) checklists may not apply and that no checklist ever includes all possible relevant questions. So check with open eyes. This template addresses that relationship looking at several stages from the controller side (a) in the selection, (b) in the agreement and (c) in (the follow-up of) the performance. This template should be used in a risk-based fashion. Therefore it is expected that critical, key, and/or high-risk outsourced data processing operations of the controller are submitted to a check with priority. The result of this check hopefully is a certain comfort in the application of the controller’s procedures and rules with regard to outsourcing data processing operations. If such comfort is not found, it should be determined whether amends can be made, through an amendment to the agreement or the follow-up mechanisms, or a better discipline in applying them. Also, lessons may be learnt with regard to the effectiveness of the controller’s procedures and rules. @TommyVandepitte @TommyVandepitte 1
  • 2. DPCC – Outsourcing - Paper @TommyVandepitte Content Summary Explanation of this Document....................................................................................1 Content................................................................................................................................................... 2 Basics...................................................................................................................................................... 3 DPCC – Outsourcing .................................................................................................................................... 3 DPCC ID........................................................................................................................................................... 3 Scope................................................................................................................................................................ 3 Overview of the Checks....................................................................................................................4 Selection of the processor...............................................................................................................5 Background Info of the Selection Process............................................................................................5 Documentation............................................................................................................................................. 5 Criteria............................................................................................................................................................ 8 Decision........................................................................................................................................................ 12 Conclusion................................................................................................................................................... 14 Agreement with the processor....................................................................................................15 Conclusion................................................................................................................................................... 18 Follow-up of the processor...........................................................................................................19 Conclusion .................................................................................................................................................. 23 References.......................................................................................................................................... 24 Activity Log................................................................................................................................................. 24 Documentation received ........................................................................................................................ 25 Interviews & Questionnaires................................................................................................................. 26 @TommyVandepitte @TommyVandepitte 2
  • 3. DPCC – Outsourcing - Paper @TommyVandepitte Basics DPCC – Outsourcing On outsourcing there are a number of checks to be installed. On outsourcing of data processing operations in itself there are grosso modo three angles to look at: (1) the (internal) organisation of the controller including policies and procedures, (2) the relationship between the controller and the processor, mainly via the agreement and (3) the (internal) organisation of the processor. The check on the relationship between the controller and the processor is addressed in several stages: in the selection, in the agreement and in (the follow-up of) the performance. This DPCC aims to check and look for possible improvements in these approaches from a data protection perspective. The DPCC contains checklists. They aim to provide some guidance in the check. However, be aware that some (parts of) checklists may not apply and that no checklist ever includes all possible relevant questions. So check with open eyes. DPCC ID Planning reference <reference to the DPCC overall planning, if any> Prior similar DPCC(s) <reference to similar DPCC, in case a DPCC with similar scope was performed, and is now repeated, for reasons of comparison over time> Date / Period DPCC <date on or period in which the DPCC will be performed + as the case may be estimate v actual mandays needed > (Lead) Checker <name of the lead checker > Departments of Controller involved <departments involved e.g. through requests for documentation, interviews, … most likely the procurement department, legal department, department that is accountable for the data set and should have an outsoucing manager, etc.> Budget reference <reference to the budget, if any> Reporting line <recipients of the results, departments, fuctions and/or names> Scope The scope is determined based on a target controller-processor relation with a potential further narrowing of the scope to a particular data set and/or data processing operation. During the actual check it is possible that this has to be slightly refocused as the scoping is generally based on some assumptions. Should a refocus be significant, the DPCC may be restarted or continue under a strict focus. In any case such discovery of assumptions being wrong is reported to increase the knowledge of the data processing operations in the organisation. Parties Controller(s) in scope <name controller> Processor(s) in scope <name processor> Data set Data Subjects <category(ies) of data subjects, if not sure at start of DPCC: assumption> Data (Categories) <category(ies) of data, if not sure at start of DPCC: assumption> Purpose <purpose(s) for which the data is used, if not sure at start of DPCC: assumption> Processing by the Processor(s) Types of processing <types of processing by the processor with regard to the data set, if not sure at start of DPCC: assumption> <consider: collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction> @TommyVandepitte @TommyVandepitte 3
  • 4. DPCC – Outsourcing - Paper @TommyVandepitte Overview of the Checks Overview testings 1 Selection of the processor: The controller that uses the services of the processor has (have) to take into account that the chosen processor offers adequate garantees on the technical and organizational security measures with regard to the outsourced data processing operations. 2 Agreement with the processor: The controller that uses the services of the processor should have a written agreement with the processor, which must include compulsory provisions and (best) should include useful provisions. 3 Follow-up of the processor: The controller that uses the services of the processor should have a procedure in place to follow-up the performance of the processor (with regard to data protection). @TommyVandepitte @TommyVandepitte 4
  • 5. DPCC – Outsourcing - Paper @TommyVandepitte Selection of the processor Background Info of the Selection Process When did the selection process take place? Start date of the selection process <date> What is considered the start of the selection process?  Formal decision to outsource  Sending out the RFI  Other: … End date of the selection process <date> What is considered the end of the selection process?  BOFA of the processor  Formal decision to outsource to this processor  Date of execution / signature of the agreement with the processor  Other: … Who within the controller (department, function, name) was involved in the selection process?  Background: These people are potential interviewees should the documentation give an insufficiently detailed view on the situation or even next to sufficient documentation to see whether the documentation is complete.  Note: It is possible that not all persons involved or all parameters are known. Try to get at least the information on the key people involved. Task(s) Name Function Department Lead negotiator Representative of business involved Legal support Decision taker Documentation Did the controller that uses the services of the processor document the selection process? Namely that the processor (to be) chosen offers adequate garantees on the technical and organizational security measures with regard to the data processing operations.  Background / Assumption  A structured selection has several phases like research for potential players (e.g. via a search in publicly available information or a Gartner Magic Quadrant), Request for Information (RFI), Request for Proposal (RFP), Best and Final Offer (BAFO), decision, adjudication, etc.  Even in an unstructured selection process documents are exchanged back and forth between the parties and some internal memo are drafted to support the decision.  Suggestions @TommyVandepitte @TommyVandepitte 5
  • 6. DPCC – Outsourcing - Paper @TommyVandepitte  Most likely this documentation, if any, is kept at the procurement or legal department, in the same file as the agreement with the processor. At least they should / could now where it is kept.  Do not accept the statement that there is such documentation, in the context of this DPCC, the documentation should be presented for review. Add the documentation received or reviewed in the list in annex. . General Data protection is inserted in the documentation of the selection process of a processor  No.  Yes. . Approach (applied in the case in scope) What is the approach or are the approaches to inserting data protection in the selection process?  Research of the publicly available credentials / reference of the candidates.  Questions to the candidates.  Documentation presented by the candidates. Type of questions  Not applicable.  Open questions.  Closed questions (i.e. seeking specific answers or yes/no answers). Proof provided by the processor  None.  Documents/policies.  Certifications.  Control results.  Control / visit by controller. . Per phase: was data protection inserted in a phase (applied in the case in scope) Included in the basic requirements to participate in the selection process (e.g. general or specific buyer terms of the controller)  No.  Yes. Included in the RFI – sent out by the controller  No.  Yes. Included in the RFI – response by the processor  No.  Yes. Included in the RFP – sent out by the controller  No.  Yes. Included in the RFP – response by the processor  No.  Yes. Included in the BAFO  No.  Yes. Included in the decision to choose the processor  No. @TommyVandepitte @TommyVandepitte 6
  • 7. DPCC – Outsourcing - Paper @TommyVandepitte  Yes. @TommyVandepitte @TommyVandepitte 7
  • 8. DPCC – Outsourcing - Paper @TommyVandepitte Criteria The controller that uses the services of the processor has to take into account that the chosen processor offers adequate garantees on the technical and organizational security measures with regard to the data processing operations. What criteria were used to that extent?  Suggestions  Look for predetermined criteria (explicitly) being used to select the processor and for criteria that may not have been predetermined, but de facto were used. . Criteria (explicitly or implicitly applied in the case in scope) Criterion Used? How applied to processor? Is the processor a member of the economic group of the controller?  No.  Explicitly.  Implicitly.  Processor is group member.  Processor is no group member. Is the processor located in the same country as controller, in the European Union, European Union or a country ensuring an adequate level of data protection?  No.  Explicitly.  Implicitly.  Processor is located in the same country as the controller.  Processor is located in the EU.  Processor is located in the EEA outside EU.  Processor is located in a country ensuring an adequate level of data protection outside EEA.  Processor is located in a country not ensuring an adequate level of data protection. Is any processing operation by the processor located in a country not ensuring an adequate level of data protection?  No.  Explicitly.  Implicitly.  No, all processing operations are to be performed in the EU.  No, all processing operations are to be performed in the EEA outside EU.  No, all processing operations are to be performed in a country ensuring an adequate level of data protection outside EEA.  Yes, some processing operations are to be performed in a country not ensuring an adequate level of data protection: namely <processing operation> in <country>. Is the processor under a duty of confidentiality?  No.  Yes, the processor is under a statutory duty of confidentiality which is criminally @TommyVandepitte @TommyVandepitte 8
  • 9. DPCC – Outsourcing - Paper @TommyVandepitte  Explicitly.  Implicitly. sanctioned for the processing in scope.  Yes, the processor is under a statutory duty of confidentiality which is not criminally sanctioned for the processing in scope.  Yes, the processor is under a deontological duty of confidentiality which is sanctioned by a professional ethics body for the processing in scope.  Yes, the processor is under a contractual duty of confidentiality.  No, the processor is not under a duty of confidentiality. What is the processor’s image with regard to data protection (i.e. presentation by the company itself)?  No.  Explicitly.  Implicitly.  No information available.  The processor did not profile itself with regard to data protection.  The processor profiled itself with regard to data protection as being compliant.  The processor profiled itself with regard to data protection as going beyond compliance, striving for a very high level of data protection and/or information security.  The processor profiled itself with regard to data protection (bindingly) commiting to go beyond compliance, striving for a very high level of data protection and/or information security. What is the processor’s reputation with regard to data protection (i.e. public perception)?  No.  Explicitly.  Implicitly.  No information available.  The available information does not indicate negative experiences.  The available information seems to support data protection compliance. What is the processor’s experience in the handling of personal data?  No.  Explicitly.  Implicitly.  No, handling personal data is exceptional for the processor.  Yes, handling personal data is a service commonly supporting the core business of the processor.  Yes, handling personal data is the core business of the processor. Does the processor have a Data Protection Officer and/or Information Security Officer in place, that the controller could talk to during the selection?  No.  Explicitly.  Implicitly.  No information available.  No DPO or ISO appointed.  A DPO and ISO appointed, but no access to them.  A DPO and ISO appointed, and fairly free access to them. @TommyVandepitte @TommyVandepitte 9
  • 10. DPCC – Outsourcing - Paper @TommyVandepitte Does the processor have Binding Corporate Rules for Processors in place, that have been acknowledged by the relevant Data Protection Authorities?  No.  Explicitly.  Implicitly.  No information available.  No the processor does not have BCRs in place.  The processor has BCRs in place and makes them publicly available (e.g. on their website).  The processor has BCRs in place and spontaneously made them available during the selection process.  The processor has BCRs in place and made them available during the selection process but only on persistent request. How did the delegation of the processor respond to the interview by the Data Protection Officer and/or Information Security Officer of the controller?  No.  Explicitly.  Implicitly.  The interview did not take place.  The processor gave the impression of considering data protection a cost-factor.  The processor gave the impression of considering data protection a burden.  The processor did not give the impression to be engaged in data protection.  The processor gave the impression of being actively engaged in data protection.  The processor gave the impression of having a true data protection culture in place. Did the processor provide copies of its most relevant internal policies? Did they show competence and where they reasonable?  No.  Explicitly.  Implicitly.  None that we are aware of.  No, the processor did not provide such documents even when requested.  Yes, the processor provide such documents upon request.  Yes, the processor provide such documents even without being requested.  Yes, the processor provide such documents, in such a way that some weakinesses in its frameworks could be detected. Did the processor have past incidents with regard to handling data? How where they handled?  No.  Explicitly.  Implicitly.  None that we are aware of.  Yes. The processor reluctantly admitted to them.  Yes. The processor was very transparent about how they handled them. Did the processor incur sanctions in relation to handling data?  No.  Explicitly.  None that we are aware of.  No, the processor made a warranty during the selection process that there were no such sanctions imposed. @TommyVandepitte @TommyVandepitte 10
  • 11. DPCC – Outsourcing - Paper @TommyVandepitte  Implicitly.  Yes, the processor openly admitted to it.  Yes, the processor admitted to it but only on persistent request. Did the processor give remarkable answers to the questions on data protection / security in the selection process? (e.g. mistakes with regard to technical features, norms, certificates, internal policies, etc.)  No.  Explicitly.  Implicitly.  None that we are aware of.  Yes, the processor did not seem to be bothered by them.  Yes, the processor later rectified in writing. Might the overall (financial) situation of the processor have an impact on data protection? E.g. tendency to grow by acquisition, to risky financial situation, to be active in corruption prone countries, etc.  No.  Explicitly.  Implicitly.  None that we are aware of.  Yes, but this was not picked up during the selection process.  Yes, further information was provided by the processor during the selection process.  Yes, warranties were provided by the processor during the selection process. Is there relevant prior audit assurance available (e.g. from third party audits)?  No.  Explicitly.  Implicitly.  No relevant prior audit assurance available.  ISO27001 certified in the last 3 years.  SOC1 or SOC2 made available by the processor.  Other: xxx What was the advice of the Data Protection Officer and/or Information Security Officer of the controller?  No.  Explicitly.  Implicitly.  No advice from the DPO or ISO.  Negative advice or high risk warning from the DPO or ISO.  Advice to put some additional saveguards in place.  Nihil obstat from the DPO and ISO. Intermediary conclusion:  The criteria to assess the data protection risk were explicit, reasonable and coherent.  The criteria to assess the data protection risk were reasonable and coherent, even if implicit.  The criteria to assess the data protection risk cannot be considered reasonable and coherent.  There were no criteria to assess the data protection risk. @TommyVandepitte @TommyVandepitte 11
  • 12. DPCC – Outsourcing - Paper @TommyVandepitte Decision Overall, what was the data protection risk assessment of engaging this processor?  Suggestions  Look for predetermined criteria (explicitly) being used to select the processor and for criteria that may not have been predetermined, but de facto were used. . At the time of the selection The data processing operation was internally assessed as… (in case of more data processing operations, the highest)  Very high risk.  High risk.  Medium risk.  Low risk. Additional comment to this answer Outsouring the data processing operation was assessed as… (in case of more data processing operations, the highest)  Very high risk.  High risk.  Medium risk.  Low risk. Additional comment to this answer In comparison to the performing the data processing operation internally, outsouring the data processing operation was assessed as…  A higher risk.  An equal risk.  A lower risk. Additional comment to this answer In comparison to outsouring the data processing operation to any other candidate in the selection process, outsourcing it to the processor was assessed as…  A higher risk.  An equal risk.  A lower risk. Additional comment to this answer . In the context of the DPCC The risk assessments at the time seem reasonable given the information that seemed to have been available at the time of the assessment.  No.  Yes. When at the time of the decision more information should have been reasonably available should the selection procedure have taken into account reasonable information gathering on data protection, would the outcome of the risk assessments likely and reasonably have been different?  Hard to determine.  No.  Yes. * * * What was the impact of the data protection risk assessment on the final decision? . Impact in selection decision @TommyVandepitte @TommyVandepitte 12
  • 13. DPCC – Outsourcing - Paper @TommyVandepitte Was there an impact of the data protection risk assessment on the decision?  No.  Yes. Were there specific items of the data protection risk that the decision explicitly wanted to avoid?  No.  Yes. If “yes”, were the necessary measures taken to avoid those risks?  No.  Yes. Additional comments: which measures? Were there specific items of the data protection risk that the decision explicitly wanted to allocate to the processor?  No.  Yes. If “yes”, were the necessary measures taken to allocate those risks to the processor (via the agreement)?  No.  Yes. Additional comments: which measures?  Representations and warrants.  Specific duties for the processor, e.g. (additional) minimum security measures, reporting duties, etc.  Specific liabilities for the processor.  Other: … Were there specific items of the data protection risk that the decision explicitly wanted to insure?  No.  Yes. If “yes”, was the insurance taken to cover that (part of the) risk?  No.  Partly.  Yes. What are the references of the insurance agreement? Insurer: xxx Reference of the insurance agreement: xxx Reference of the relevant parts of the insurance agreement: xxx Was there an explicit acceptance of the residual risks?  No.  Yes. Were the residual risk reasonably known to the decision maker(s)?  No.  Yes. @TommyVandepitte @TommyVandepitte 13
  • 14. DPCC – Outsourcing - Paper @TommyVandepitte Conclusion  Data protection is a concern that was explicitly and robustly taken into account in the selection process.  Data protection is a concern that was explicitly and reasonably taken into account in the selection process.  Data protection is a concern that was explicitly taken into account in the selection process, but that could have been improved.  Data protection is a concern that was implicitly taken into account in the selection process and led to a fair selection.  Data protection is a concern that was implicitly taken into account in the selection process but that could have been improved.  Data protection was not taken into account in the selection process. Comments - @TommyVandepitte @TommyVandepitte 14
  • 15. DPCC – Outsourcing - Paper @TommyVandepitte Agreement with the processor Is there a written agreement between the controller and the processor?  No.  Yes. * * * If yes, what are the constituent parts of the written agreement between the controller and the processor?  Explanation: A written agreement is not always a single document, but can be defined by different documents with all sorts of names such as general terms and conditions, framework agreement, specific agreement, schedule, service level agreement (“SLA”), statement of work, order form, minimum security requirements, controller’s or processor’s security policies,... To be able to assess the agreement, you should assemble (or have presented) and see all these parts. The consitutuant parts of the agreement between the controller and processor in scope are as follows: Title Date Document <title of the document> <date of the document> <embed document> * * * The controller that uses the services of the processor should have a written agreement with the processor, which should include the necessary provisions. Which data protection relevant provisions are included in the agreement with the processor?  Suggestions  Check with the legal department.  Check the local data protection statutes and guidance by the data protection authorities.  Check for guidance and/or templates by associations within the sector of the controller.  Note:  In case the standard contractual clauses for data transfer from controller to the processor most, if not all, necessary provisions are deemed to be present.  A difference should be made between the provisions compulsory under the applicable law (as the case may be, given the situation), the provisions needed to meet the risk standard saught by the decision on the data protection risk (see end of selection process) and additional useful provisions. @TommyVandepitte @TommyVandepitte 15
  • 16. DPCC – Outsourcing - Paper @TommyVandepitte . Typical provisions Provision Compulsory? Reference in and/or quote from the agreement a description of the data processing operations in scope (data, data subject, recipients, locations, processing types, specifically described ...)  Compulsory.  Needed.  Useful. the provision that the processor can and shall only process the data on behalf of and on instructions of the controller(s), as the case may be, with the exception of superceding statutory obligations  Compulsory.  Needed.  Useful. the provision in which the processor accepts to be bound by the EU data protection legislation, its local implementation, or (in third countries) its principles  Compulsory.  Needed.  Useful. the provision that the processor is held to ensure secure and confidential processing of the data and must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing  Compulsory.  Needed.  Useful. the provision that the processor must limit the access to the data to persons with a need-to-know for the exercise of their tasks  Compulsory.  Needed.  Useful. the provision that the processor must create awareness on data protection (in general and the regulations in particular)  Compulsory.  Needed.  Useful. the minimum (level of) security and confidentiality measures to be taken by the processor, as the case may be making a risk-based distinction (e.g. per partial assignment, per type of data, ...)  Compulsory.  Needed.  Useful. provisions with regard to procedures and rules on incident management  Compulsory.  Needed.  Useful. @TommyVandepitte @TommyVandepitte 16
  • 17. DPCC – Outsourcing - Paper @TommyVandepitte provisions with regard to procedures and rules on reporting and communication in case of incidents, including access requests by third parties  Compulsory.  Needed.  Useful. provisions regulating the possibility, if any, and the conditions of deployment of subprocessors  Compulsory.  Needed.  Useful. a way to get assurance of the proper implementation of the (minimum) technical and organizational measures, e.g. audit rights for the controller(s) or assurance by external auditors  Compulsory.  Needed.  Useful. provisions with regard to periodic and ad hoc reporting by the processor  Compulsory.  Needed.  Useful. provisions with regard to (other) follow-up mechanisms  Compulsory.  Needed.  Useful. provisions with regard to retention of the (personal) data during and at the end of the agreement  Compulsory.  Needed.  Useful. provisions creating an incentive for compliance with data protection or enhancing the enforcement of data protection, e.g. rewards, sanctions (data protection = material breach and uncapped liability), etc.  Compulsory.  Needed.  Useful. clear provisions on the liability of the parties with regard to issues relating to data processing operations (e.g. data leakage)  Compulsory.  Needed.  Useful. a governance framework for events and incidents such as data breaches and requests by data subjects  Compulsory.  Needed.  Useful. a provision to grant the data subject third party beneficiary rights  Compulsory. @TommyVandepitte @TommyVandepitte 17
  • 18. DPCC – Outsourcing - Paper @TommyVandepitte against the processor  Needed.  Useful. Intermediary conclusion:  All typical provisions are strongly implemented in the existing agreement.  All compulsory and needed provisions are strongly implemented in the existing agreement.  All compulsory provisions are strongly implemented in the existing agreement, the needed provisions however are not.  Some minor improvements are possible to the existing agreement.  Some major improvements are possible to the existing agreement.  Some major improvements are needed to the existing agreement.  Some major improvements are urgently needed to the existing agreement.  There is no existing agreement. Conclusion  The contractual framework, as investigated, is robust.  The contractual framework, as investigated, is subject to minor improvements, namely: <…>  The contractual framework, as investigated, is subject to major improvements, namely: <…> Comments - @TommyVandepitte @TommyVandepitte 18
  • 19. DPCC – Outsourcing - Paper @TommyVandepitte Follow-up of the processor The controller that uses the services of the processor should have a procedure in place to follow-up In what way is assurance acquired on the proper handling of personal and/or customer data?  Suggestions  Check the agreement for audit rights or other elements of assurance.  Check with the contact / procurement officer / relationship manager for the processor how he/they follow-up on the processor and in particular the data protection practice at the processor. . Follow-up mechanisms on an individual level (controller – processor) Mechanism Foreseen Basis Used in fact Periodicity Day-to-day cooperation with the service provider  No.  Yes.  Agreement.  Practice.  Goodwill of processor.  Other.  No.  Yes.  Monthly.  Quarterly.  Yearly.  Other. Scrutiny of deliverables, quality control  No.  Yes.  Agreement.  Practice.  Goodwill of processor.  Other.  No.  Yes.  Monthly.  Quarterly.  Yearly.  Other. Follow-up of milestones and deadlines  No.  Yes.  Agreement.  Practice.  Goodwill of processor.  Other.  No.  Yes.  Monthly.  Quarterly.  Yearly.  Other. W(h)ine and dine  No.  Yes.  Agreement.  Practice.  Goodwill of processor.  Other.  No.  Yes.  Monthly.  Quarterly.  Yearly.  Other. Periodic (formal) follow-up meetings, one-on-1  No.  Agreement.  No.  Monthly.  Quarterly. @TommyVandepitte @TommyVandepitte 19
  • 20. DPCC – Outsourcing - Paper @TommyVandepitte  Yes.  Practice.  Goodwill of processor.  Other.  Yes.  Yearly.  Other. Periodic (formal) follow-up meetings, joint with other customers of the processor  No.  Yes.  Agreement.  Practice.  Goodwill of processor.  Other.  No.  Yes.  Monthly.  Quarterly.  Yearly.  Other. Escalation procedure  No.  Yes.  Agreement.  Practice.  Goodwill of processor.  Other.  No.  Yes.  Monthly.  Quarterly.  Yearly.  Other. Service Level (exception) reporting by the processor  No.  Yes.  Agreement.  Practice.  Goodwill of processor.  Other.  No.  Yes.  Monthly.  Quarterly.  Yearly.  Other. Questionnaires to be answered by the processor  No.  Yes.  Agreement.  Practice.  Goodwill of processor.  Other.  No.  Yes.  Monthly.  Quarterly.  Yearly.  Other. Assurance delivered by the internal audit of the processor (free format)  No.  Yes.  Agreement.  Practice.  Goodwill of processor.  Other.  No.  Yes.  Monthly.  Quarterly.  Yearly.  Other. Assurance delivered by an external, independent auditor appointed by the processor (free format)  No.  Yes.  Agreement.  Practice.  Goodwill of processor.  Other.  No.  Yes.  Monthly.  Quarterly.  Yearly.  Other. Assurance delivered by the internal audit of the processor (template of the controller)  No.  Yes.  Agreement.  Practice.  No.  Yes.  Monthly.  Quarterly. @TommyVandepitte @TommyVandepitte 20
  • 21. DPCC – Outsourcing - Paper @TommyVandepitte  Goodwill of processor.  Other.  Yearly.  Other. Assurance delivered by an external, independent auditor appointed by the processor (template of the controller)  No.  Yes.  Agreement.  Practice.  Goodwill of processor.  Other.  No.  Yes.  Monthly.  Quarterly.  Yearly.  Other. KPI measurement and reporting thereon by controller  No.  Yes.  Agreement.  Practice.  Goodwill of processor.  Other.  No.  Yes.  Monthly.  Quarterly.  Yearly.  Other. Audit on the premises by controller’s audit team  No.  Yes.  Agreement.  Practice.  Goodwill of processor.  Other.  No.  Yes.  Monthly.  Quarterly.  Yearly.  Other. Follow-up of and reaction to incidents at the processor  No.  Yes.  Agreement.  Practice.  Goodwill of processor.  Other.  No.  Yes.  Monthly.  Quarterly.  Yearly.  Other. Control on the budget for the services, including invoice control  No.  Yes.  Agreement.  Practice.  Goodwill of processor.  Other.  No.  Yes.  Monthly.  Quarterly.  Yearly.  Other. Follow-up of the financial situation of the service provider based on public information  No.  Yes.  Agreement.  Practice.  Goodwill of processor.  Other.  No.  Yes.  Monthly.  Quarterly.  Yearly.  Other. Follow-up of the financial situation of the service provider based on non-public information  No.  Yes.  Agreement.  Practice.  No.  Yes.  Monthly.  Quarterly. @TommyVandepitte @TommyVandepitte 21
  • 22. DPCC – Outsourcing - Paper @TommyVandepitte  Goodwill of processor.  Other.  Yearly.  Other. . Follow-up mechanisms on a multilateral level (processor to multiple controllers, including the controller in scope) Service Level (exception) reporting  No.  Yes.  Agreement.  Practice.  Goodwill of processor.  Other.  No.  Yes.  Monthly.  Quarterly.  Yearly.  Other. KPI measurement and (issue) reporting thereon  No.  Yes.  Agreement.  Practice.  Goodwill of processor.  Other.  No.  Yes.  Monthly.  Quarterly.  Yearly.  Other. Control on the overall budget  No.  Yes.  Agreement.  Practice.  Goodwill of processor.  Other.  No.  Yes.  Monthly.  Quarterly.  Yearly.  Other. . Follow-up mechanisms on an group governance level (in case the processor is a member of the group of the controller) Information Security reporting on the processes as such  No.  Yes.  Agreement.  Practice.  Goodwill of processor.  Other.  No.  Yes.  Monthly.  Quarterly.  Yearly.  Other. Audit assurance on the processes as such  No.  Yes.  Agreement.  Practice.  Goodwill of processor.  Other.  No.  Yes.  Monthly.  Quarterly.  Yearly.  Other. Statistical analysis of the operations (e.g. throughput time, access to tools, etc.)  No.  Agreement.  No.  Monthly. @TommyVandepitte @TommyVandepitte 22
  • 23. DPCC – Outsourcing - Paper @TommyVandepitte  Yes.  Practice.  Goodwill of processor.  Other.  Yes.  Quarterly.  Yearly.  Other. Is it clear who has to follow-up the processor?  No.  Yes for all follow-up mechanisms.  Yes for some follow-up mechanisms. Not for the following <…> * * * Is it clear how the assurance or lack thereof has to be handled? Is it clear what has to be done in case of the absence of assurance or the reception of a notification indicating a security incident?  No.  Yes for all follow-up mechanisms.  Yes for some follow-up mechanisms. Not for the following <…> Conclusion  Follow-up of the processor is robust.  Follow-up of the processor is subject to minor improvements.  Follow-up of the processor is subject to major improvements. Comments - @TommyVandepitte @TommyVandepitte 23
  • 24. DPCC – Outsourcing - Paper @TommyVandepitte References  Suggestions: Keep these lists in a spreadsheet and insert/embed the final spreadsheets in this annex.  Note: The prefilled fields are just examples of content in these reference document. Modification to internal procedures and factual situation is needed. Activity Log Date Activity Status Who? Remark Intake interview with xxx Interview with xxx Questionnaire xxx sent out to xxx Response to questionnaire xxx received from xxx Process diagram xxx received from xxx Walkthrough process xxx Document request for xxx Document xxx received from Draft report sent to xxx Feedback interview with xxx Final report Final report sent out @TommyVandepitte @TommyVandepitte 24
  • 25. DPCC – Outsourcing - Paper @TommyVandepitte Documentation received Category Document Date request Date receipt Source Selection RFI Selection Responses of the processor (winning candidate) to the RFI Selection RFP Selection Responses of the processor (winning candidate) to the RFP Selection BOFA of the processor (winning candidate) Selection Memo for the decision taker(s) Selection Certificates relevant for data protection of the processor provided in the selection process Selection SOC 1 audit assurance dated xxx Selection SOC 2 audit assurance dated xxx Agreement Agreement(s) with processor (incl. annexes, schedules and appendices) Agreement Amendment(s) to the agreement with the processor Follow-up SOC 1 audit assurance dated xxx Follow-up SOC 2 audit assurance dated xxx Follow-up Periodic checkup report by outsourcing manager (controller side) dated xxx Follow-up List of issues with the processor, whether or not escalated dated xxx Follow-up Periodic reporting by processor dated xxx @TommyVandepitte @TommyVandepitte 25
  • 26. DPCC – Outsourcing - Paper @TommyVandepitte Interviews & Questionnaires Category What? Document Date Source Selection Questions for procurement department Selection Questionnaire completed by procurement department Selection Report interview with procurement department Agreement Questions for the lead negotiator of the agreement Agreement Questionnaire completed by lead negotiator of the agreement Agreement Report interview with lead negotiator of the agreement Follow-up Questions for procurement department Follow-up Questionnaire completed by procurement department Follow-up Report interview with procurement department Follow-up Questions for department accountable for the outsourced data processing operation Follow-up Questionnaire completed by procu department accountable for the outsourced data processing operation Follow-up Report interview with department accountable for the outsourced data processing operation @TommyVandepitte @TommyVandepitte 26