Outsourcing data processing operations entails specific risks and requirements under the law and under sound risk management.
Therefore a set of three templates is developed to look at outsourcing of data processing operations:
(1) the (internal) organisation of the controller including policies and procedures,
(2) the relationship between the controller and the processor, mainly via the agreement and
(3) the (internal) organisation of the processor.
This template aims to give guidance to a check on a specific relationship between a controller and a processor, thus limiting the scope.
The DPCC contains checklists. They aim to provide some guidance in the check. However, be aware that some (parts of) checklists may not apply and that no checklist ever includes all possible relevant questions. So check with open eyes.
This template addresses that relationship looking at several stages from the controller side
(a) in the selection,
(b) in the agreement and
(c) in (the follow-up of) the performance.
This template should be used in a risk-based fashion. Therefore it is expected that critical, key, and/or high-risk outsourced data processing operations of the controller are submitted to a check with priority.
The result of this check hopefully is a certain comfort in the application of the controller’s procedures and rules with regard to outsourcing data processing operations. If such comfort is not found, it should be determined whether amends can be made, through an amendment to the agreement or the follow-up mechanisms, or a better discipline in applying them. Also, lessons may be learnt with regard to the effectiveness of the controller’s procedures and rules.
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
Data Protection Compliance Check - Outsourcing - Part 2 "Paper" (C2P relationship)
1. DPCC – Outsourcing - Paper
@TommyVandepitte
DATA PROTECTION COMPLIANCE CHECK
OUTSOURCING
FOCUS ON RELATIONSHIP C-P
Summary Explanation of this Document
Outsourcing data processing operations entails specific risks and requirements under the law and
under sound risk management.
Therefore a set of three templates is developed to look at outsourcing of data processing operations:
(1) the (internal) organisation of the controller including policies and procedures,
(2) the relationship between the controller and the processor, mainly via the agreement and
(3) the (internal) organisation of the processor.
This template aims to give guidance to a check on a specific relationship between a controller and a
processor, thus limiting the scope.
The DPCC contains checklists. They aim to provide some guidance in the check. However, be aware
that some (parts of) checklists may not apply and that no checklist ever includes all possible relevant
questions. So check with open eyes.
This template addresses that relationship looking at several stages from the controller side
(a) in the selection,
(b) in the agreement and
(c) in (the follow-up of) the performance.
This template should be used in a risk-based fashion. Therefore it is expected that critical, key, and/or
high-risk outsourced data processing operations of the controller are submitted to a check with priority.
The result of this check hopefully is a certain comfort in the application of the controller’s procedures
and rules with regard to outsourcing data processing operations. If such comfort is not found, it should
be determined whether amends can be made, through an amendment to the agreement or the follow-up
mechanisms, or a better discipline in applying them. Also, lessons may be learnt with regard to the
effectiveness of the controller’s procedures and rules.
@TommyVandepitte
@TommyVandepitte
1
2. DPCC – Outsourcing - Paper
@TommyVandepitte
Content
Summary Explanation of this Document....................................................................................1
Content................................................................................................................................................... 2
Basics...................................................................................................................................................... 3
DPCC – Outsourcing .................................................................................................................................... 3
DPCC ID........................................................................................................................................................... 3
Scope................................................................................................................................................................ 3
Overview of the Checks....................................................................................................................4
Selection of the processor...............................................................................................................5
Background Info of the Selection Process............................................................................................5
Documentation............................................................................................................................................. 5
Criteria............................................................................................................................................................ 8
Decision........................................................................................................................................................ 12
Conclusion................................................................................................................................................... 14
Agreement with the processor....................................................................................................15
Conclusion................................................................................................................................................... 18
Follow-up of the processor...........................................................................................................19
Conclusion .................................................................................................................................................. 23
References.......................................................................................................................................... 24
Activity Log................................................................................................................................................. 24
Documentation received ........................................................................................................................ 25
Interviews & Questionnaires................................................................................................................. 26
@TommyVandepitte
@TommyVandepitte
2
3. DPCC – Outsourcing - Paper
@TommyVandepitte
Basics
DPCC – Outsourcing
On outsourcing there are a number of checks to be installed. On outsourcing of data processing
operations in itself there are grosso modo three angles to look at: (1) the (internal) organisation of the
controller including policies and procedures, (2) the relationship between the controller and the
processor, mainly via the agreement and (3) the (internal) organisation of the processor. The check on
the relationship between the controller and the processor is addressed in several stages: in the
selection, in the agreement and in (the follow-up of) the performance. This DPCC aims to check and
look for possible improvements in these approaches from a data protection perspective.
The DPCC contains checklists. They aim to provide some guidance in the check. However, be aware
that some (parts of) checklists may not apply and that no checklist ever includes all possible relevant
questions. So check with open eyes.
DPCC ID
Planning reference <reference to the DPCC overall planning, if any>
Prior similar DPCC(s) <reference to similar DPCC, in case a DPCC with similar scope was
performed, and is now repeated, for reasons of comparison over time>
Date / Period DPCC <date on or period in which the DPCC will be performed + as the case may
be estimate v actual mandays needed >
(Lead) Checker <name of the lead checker >
Departments of
Controller involved
<departments involved e.g. through requests for documentation, interviews,
… most likely the procurement department, legal department, department
that is accountable for the data set and should have an outsoucing manager,
etc.>
Budget reference <reference to the budget, if any>
Reporting line <recipients of the results, departments, fuctions and/or names>
Scope
The scope is determined based on a target controller-processor relation with a potential further
narrowing of the scope to a particular data set and/or data processing operation. During the actual check
it is possible that this has to be slightly refocused as the scoping is generally based on some
assumptions. Should a refocus be significant, the DPCC may be restarted or continue under a strict
focus. In any case such discovery of assumptions being wrong is reported to increase the knowledge of
the data processing operations in the organisation.
Parties
Controller(s) in scope <name controller>
Processor(s) in scope <name processor>
Data set
Data Subjects <category(ies) of data subjects, if not sure at start of DPCC: assumption>
Data (Categories) <category(ies) of data, if not sure at start of DPCC: assumption>
Purpose <purpose(s) for which the data is used, if not sure at start of DPCC:
assumption>
Processing by the Processor(s)
Types of processing <types of processing by the processor with regard to the data set, if not sure
at start of DPCC: assumption>
<consider: collection, recording, organization, storage, adaptation or
alteration, retrieval, consultation, use, disclosure by transmission,
dissemination or otherwise making available, alignment or combination,
blocking, erasure or destruction>
@TommyVandepitte
@TommyVandepitte
3
4. DPCC – Outsourcing - Paper
@TommyVandepitte
Overview of the Checks
Overview testings
1 Selection of the processor: The controller that uses the services of the processor has (have) to
take into account that the chosen processor offers adequate garantees on the technical and
organizational security measures with regard to the outsourced data processing operations.
2 Agreement with the processor: The controller that uses the services of the processor should
have a written agreement with the processor, which must include compulsory provisions and
(best) should include useful provisions.
3 Follow-up of the processor: The controller that uses the services of the processor should have
a procedure in place to follow-up the performance of the processor (with regard to data
protection).
@TommyVandepitte
@TommyVandepitte
4
5. DPCC – Outsourcing - Paper
@TommyVandepitte
Selection of the processor
Background Info of the Selection Process
When did the selection process take place?
Start date of the selection process <date>
What is considered the start of the selection process? Formal decision to outsource
Sending out the RFI
Other: …
End date of the selection process <date>
What is considered the end of the selection process? BOFA of the processor
Formal decision to outsource to this
processor
Date of execution / signature of the
agreement with the processor
Other: …
Who within the controller (department, function, name) was involved in the selection process?
Background: These people are potential interviewees should the documentation give an insufficiently
detailed view on the situation or even next to sufficient documentation to see whether the documentation
is complete.
Note: It is possible that not all persons involved or all parameters are known. Try to get at least the
information on the key people involved.
Task(s) Name Function Department
Lead negotiator
Representative of
business involved
Legal support
Decision taker
Documentation
Did the controller that uses the services of the processor document the selection process?
Namely that the processor (to be) chosen offers adequate garantees on the technical and
organizational security measures with regard to the data processing operations.
Background / Assumption
A structured selection has several phases like research for potential players (e.g. via a
search in publicly available information or a Gartner Magic Quadrant), Request for Information
(RFI), Request for Proposal (RFP), Best and Final Offer (BAFO), decision, adjudication, etc.
Even in an unstructured selection process documents are exchanged back and forth between
the parties and some internal memo are drafted to support the decision.
Suggestions
@TommyVandepitte
@TommyVandepitte
5
6. DPCC – Outsourcing - Paper
@TommyVandepitte
Most likely this documentation, if any, is kept at the procurement or legal department, in the
same file as the agreement with the processor. At least they should / could now where it is kept.
Do not accept the statement that there is such documentation, in the context of this DPCC,
the documentation should be presented for review. Add the documentation received or reviewed
in the list in annex.
. General
Data protection is inserted in the documentation of the selection process of a
processor
No.
Yes.
. Approach (applied in the case in scope)
What is the approach or are the approaches to inserting
data protection in the selection process?
Research of the publicly available
credentials / reference of the candidates.
Questions to the candidates.
Documentation presented by the
candidates.
Type of questions Not applicable.
Open questions.
Closed questions (i.e. seeking specific
answers or yes/no answers).
Proof provided by the processor None.
Documents/policies.
Certifications.
Control results.
Control / visit by controller.
. Per phase: was data protection inserted in a phase (applied in the case in scope)
Included in the basic requirements to participate in the selection
process (e.g. general or specific buyer terms of the controller)
No.
Yes.
Included in the RFI – sent out by the controller No.
Yes.
Included in the RFI – response by the processor No.
Yes.
Included in the RFP – sent out by the controller No.
Yes.
Included in the RFP – response by the processor No.
Yes.
Included in the BAFO No.
Yes.
Included in the decision to choose the processor No.
@TommyVandepitte
@TommyVandepitte
6
8. DPCC – Outsourcing - Paper
@TommyVandepitte
Criteria
The controller that uses the services of the processor has to take into account that the chosen processor offers adequate garantees on the technical and
organizational security measures with regard to the data processing operations. What criteria were used to that extent?
Suggestions
Look for predetermined criteria (explicitly) being used to select the processor and for criteria that may not have been predetermined, but de facto were
used.
. Criteria (explicitly or implicitly applied in the case in scope)
Criterion Used? How applied to processor?
Is the processor a member of the economic
group of the controller?
No.
Explicitly.
Implicitly.
Processor is group member.
Processor is no group member.
Is the processor located in the same country
as controller, in the European Union,
European Union or a country ensuring an
adequate level of data protection?
No.
Explicitly.
Implicitly.
Processor is located in the same country as the controller.
Processor is located in the EU.
Processor is located in the EEA outside EU.
Processor is located in a country ensuring an adequate level of data protection outside
EEA.
Processor is located in a country not ensuring an adequate level of data protection.
Is any processing operation by the processor
located in a country not ensuring an adequate
level of data protection?
No.
Explicitly.
Implicitly.
No, all processing operations are to be performed in the EU.
No, all processing operations are to be performed in the EEA outside EU.
No, all processing operations are to be performed in a country ensuring an adequate
level of data protection outside EEA.
Yes, some processing operations are to be performed in a country not ensuring an
adequate level of data protection: namely <processing operation> in <country>.
Is the processor under a duty of
confidentiality?
No. Yes, the processor is under a statutory duty of confidentiality which is criminally
@TommyVandepitte
@TommyVandepitte
8
9. DPCC – Outsourcing - Paper
@TommyVandepitte
Explicitly.
Implicitly.
sanctioned for the processing in scope.
Yes, the processor is under a statutory duty of confidentiality which is not criminally
sanctioned for the processing in scope.
Yes, the processor is under a deontological duty of confidentiality which is sanctioned
by a professional ethics body for the processing in scope.
Yes, the processor is under a contractual duty of confidentiality.
No, the processor is not under a duty of confidentiality.
What is the processor’s image with regard to
data protection (i.e. presentation by the
company itself)?
No.
Explicitly.
Implicitly.
No information available.
The processor did not profile itself with regard to data protection.
The processor profiled itself with regard to data protection as being compliant.
The processor profiled itself with regard to data protection as going beyond
compliance, striving for a very high level of data protection and/or information security.
The processor profiled itself with regard to data protection (bindingly) commiting to go
beyond compliance, striving for a very high level of data protection and/or information
security.
What is the processor’s reputation with regard
to data protection (i.e. public perception)?
No.
Explicitly.
Implicitly.
No information available.
The available information does not indicate negative experiences.
The available information seems to support data protection compliance.
What is the processor’s experience in the
handling of personal data?
No.
Explicitly.
Implicitly.
No, handling personal data is exceptional for the processor.
Yes, handling personal data is a service commonly supporting the core business of the
processor.
Yes, handling personal data is the core business of the processor.
Does the processor have a Data Protection
Officer and/or Information Security Officer in
place, that the controller could talk to during
the selection?
No.
Explicitly.
Implicitly.
No information available.
No DPO or ISO appointed.
A DPO and ISO appointed, but no access to them.
A DPO and ISO appointed, and fairly free access to them.
@TommyVandepitte
@TommyVandepitte
9
10. DPCC – Outsourcing - Paper
@TommyVandepitte
Does the processor have Binding Corporate
Rules for Processors in place, that have been
acknowledged by the relevant Data Protection
Authorities?
No.
Explicitly.
Implicitly.
No information available.
No the processor does not have BCRs in place.
The processor has BCRs in place and makes them publicly available (e.g. on their
website).
The processor has BCRs in place and spontaneously made them available during the
selection process.
The processor has BCRs in place and made them available during the selection
process but only on persistent request.
How did the delegation of the processor
respond to the interview by the Data
Protection Officer and/or Information Security
Officer of the controller?
No.
Explicitly.
Implicitly.
The interview did not take place.
The processor gave the impression of considering data protection a cost-factor.
The processor gave the impression of considering data protection a burden.
The processor did not give the impression to be engaged in data protection.
The processor gave the impression of being actively engaged in data protection.
The processor gave the impression of having a true data protection culture in place.
Did the processor provide copies of its most
relevant internal policies? Did they show
competence and where they reasonable?
No.
Explicitly.
Implicitly.
None that we are aware of.
No, the processor did not provide such documents even when requested.
Yes, the processor provide such documents upon request.
Yes, the processor provide such documents even without being requested.
Yes, the processor provide such documents, in such a way that some weakinesses in
its frameworks could be detected.
Did the processor have past incidents with
regard to handling data? How where they
handled?
No.
Explicitly.
Implicitly.
None that we are aware of.
Yes. The processor reluctantly admitted to them.
Yes. The processor was very transparent about how they handled them.
Did the processor incur sanctions in relation to
handling data?
No.
Explicitly.
None that we are aware of.
No, the processor made a warranty during the selection process that there were no
such sanctions imposed.
@TommyVandepitte
@TommyVandepitte
10
11. DPCC – Outsourcing - Paper
@TommyVandepitte
Implicitly. Yes, the processor openly admitted to it.
Yes, the processor admitted to it but only on persistent request.
Did the processor give remarkable answers to
the questions on data protection / security in
the selection process? (e.g. mistakes with
regard to technical features, norms,
certificates, internal policies, etc.)
No.
Explicitly.
Implicitly.
None that we are aware of.
Yes, the processor did not seem to be bothered by them.
Yes, the processor later rectified in writing.
Might the overall (financial) situation of the
processor have an impact on data protection?
E.g. tendency to grow by acquisition, to risky
financial situation, to be active in corruption
prone countries, etc.
No.
Explicitly.
Implicitly.
None that we are aware of.
Yes, but this was not picked up during the selection process.
Yes, further information was provided by the processor during the selection process.
Yes, warranties were provided by the processor during the selection process.
Is there relevant prior audit assurance
available (e.g. from third party audits)?
No.
Explicitly.
Implicitly.
No relevant prior audit assurance available.
ISO27001 certified in the last 3 years.
SOC1 or SOC2 made available by the processor.
Other: xxx
What was the advice of the Data Protection
Officer and/or Information Security Officer of
the controller?
No.
Explicitly.
Implicitly.
No advice from the DPO or ISO.
Negative advice or high risk warning from the DPO or ISO.
Advice to put some additional saveguards in place.
Nihil obstat from the DPO and ISO.
Intermediary conclusion:
The criteria to assess the data protection risk were explicit, reasonable and coherent.
The criteria to assess the data protection risk were reasonable and coherent, even if implicit.
The criteria to assess the data protection risk cannot be considered reasonable and coherent.
There were no criteria to assess the data protection risk.
@TommyVandepitte
@TommyVandepitte
11
12. DPCC – Outsourcing - Paper
@TommyVandepitte
Decision
Overall, what was the data protection risk assessment of engaging this processor?
Suggestions
Look for predetermined criteria (explicitly) being used to select the processor and for criteria
that may not have been predetermined, but de facto were used.
. At the time of the selection
The data processing operation was internally assessed as…
(in case of more data processing operations, the highest)
Very high risk.
High risk.
Medium risk.
Low risk.
Additional comment to this answer
Outsouring the data processing operation was assessed as…
(in case of more data processing operations, the highest)
Very high risk.
High risk.
Medium risk.
Low risk.
Additional comment to this answer
In comparison to the performing the data processing operation
internally, outsouring the data processing operation was assessed
as…
A higher risk.
An equal risk.
A lower risk.
Additional comment to this answer
In comparison to outsouring the data processing operation to any
other candidate in the selection process, outsourcing it to the
processor was assessed as…
A higher risk.
An equal risk.
A lower risk.
Additional comment to this answer
. In the context of the DPCC
The risk assessments at the time seem reasonable given the
information that seemed to have been available at the time of the
assessment.
No.
Yes.
When at the time of the decision more information should have been
reasonably available should the selection procedure have taken into
account reasonable information gathering on data protection, would
the outcome of the risk assessments likely and reasonably have
been different?
Hard to determine.
No.
Yes.
* * *
What was the impact of the data protection risk assessment on the final decision?
. Impact in selection decision
@TommyVandepitte
@TommyVandepitte
12
13. DPCC – Outsourcing - Paper
@TommyVandepitte
Was there an impact of the data protection risk assessment on the
decision?
No.
Yes.
Were there specific items of the data protection risk that the decision
explicitly wanted to avoid?
No.
Yes.
If “yes”, were the necessary measures taken to avoid those risks? No.
Yes.
Additional comments: which measures?
Were there specific items of the data protection risk that the decision
explicitly wanted to allocate to the processor?
No.
Yes.
If “yes”, were the necessary measures taken to allocate those risks
to the processor (via the agreement)?
No.
Yes.
Additional comments: which measures? Representations and warrants.
Specific duties for the processor, e.g. (additional)
minimum security measures, reporting duties, etc.
Specific liabilities for the processor.
Other: …
Were there specific items of the data protection risk that the decision
explicitly wanted to insure?
No.
Yes.
If “yes”, was the insurance taken to cover that (part of the) risk? No.
Partly.
Yes.
What are the references of
the insurance agreement?
Insurer: xxx
Reference of the insurance agreement: xxx
Reference of the relevant parts of the insurance agreement: xxx
Was there an explicit acceptance of the residual risks? No.
Yes.
Were the residual risk reasonably known to the decision maker(s)? No.
Yes.
@TommyVandepitte
@TommyVandepitte
13
14. DPCC – Outsourcing - Paper
@TommyVandepitte
Conclusion
Data protection is a concern that was explicitly and robustly taken into account in the selection
process.
Data protection is a concern that was explicitly and reasonably taken into account in the selection
process.
Data protection is a concern that was explicitly taken into account in the selection process, but that
could have been improved.
Data protection is a concern that was implicitly taken into account in the selection process and led
to a fair selection.
Data protection is a concern that was implicitly taken into account in the selection process but that
could have been improved.
Data protection was not taken into account in the selection process.
Comments
-
@TommyVandepitte
@TommyVandepitte
14
15. DPCC – Outsourcing - Paper
@TommyVandepitte
Agreement with the processor
Is there a written agreement between the controller and the processor?
No.
Yes.
* * *
If yes, what are the constituent parts of the written agreement between the controller and the
processor?
Explanation: A written agreement is not always a single document, but can be defined by different
documents with all sorts of names such as general terms and conditions, framework agreement, specific
agreement, schedule, service level agreement (“SLA”), statement of work, order form, minimum security
requirements, controller’s or processor’s security policies,... To be able to assess the agreement, you
should assemble (or have presented) and see all these parts.
The consitutuant parts of the agreement between the controller and processor in scope are as follows:
Title Date Document
<title of the document> <date of the document> <embed document>
* * *
The controller that uses the services of the processor should have a written agreement with the
processor, which should include the necessary provisions. Which data protection relevant
provisions are included in the agreement with the processor?
Suggestions
Check with the legal department.
Check the local data protection statutes and guidance by the data protection authorities.
Check for guidance and/or templates by associations within the sector of the controller.
Note:
In case the standard contractual clauses for data transfer from controller to the processor
most, if not all, necessary provisions are deemed to be present.
A difference should be made between the provisions compulsory under the applicable law
(as the case may be, given the situation), the provisions needed to meet the risk standard
saught by the decision on the data protection risk (see end of selection process) and
additional useful provisions.
@TommyVandepitte
@TommyVandepitte
15
16. DPCC – Outsourcing - Paper
@TommyVandepitte
. Typical provisions
Provision Compulsory? Reference in and/or quote from the agreement
a description of the data processing operations in scope (data, data
subject, recipients, locations, processing types, specifically described
...)
Compulsory.
Needed.
Useful.
the provision that the processor can and shall only process the data
on behalf of and on instructions of the controller(s), as the case may
be, with the exception of superceding statutory obligations
Compulsory.
Needed.
Useful.
the provision in which the processor accepts to be bound by the EU
data protection legislation, its local implementation, or (in third
countries) its principles
Compulsory.
Needed.
Useful.
the provision that the processor is held to ensure secure and
confidential processing of the data and must implement appropriate
technical and organizational measures to protect personal data
against accidental or unlawful destruction or accidental loss,
alteration, unauthorized disclosure or access, in particular where the
processing involves the transmission of data over a network, and
against all other unlawful forms of processing
Compulsory.
Needed.
Useful.
the provision that the processor must limit the access to the data to
persons with a need-to-know for the exercise of their tasks
Compulsory.
Needed.
Useful.
the provision that the processor must create awareness on data
protection (in general and the regulations in particular)
Compulsory.
Needed.
Useful.
the minimum (level of) security and confidentiality measures to be
taken by the processor, as the case may be making a risk-based
distinction (e.g. per partial assignment, per type of data, ...)
Compulsory.
Needed.
Useful.
provisions with regard to procedures and rules on incident
management
Compulsory.
Needed.
Useful.
@TommyVandepitte
@TommyVandepitte
16
17. DPCC – Outsourcing - Paper
@TommyVandepitte
provisions with regard to procedures and rules on reporting and
communication in case of incidents, including access requests by
third parties
Compulsory.
Needed.
Useful.
provisions regulating the possibility, if any, and the conditions of
deployment of subprocessors
Compulsory.
Needed.
Useful.
a way to get assurance of the proper implementation of the
(minimum) technical and organizational measures, e.g. audit rights
for the controller(s) or assurance by external auditors
Compulsory.
Needed.
Useful.
provisions with regard to periodic and ad hoc reporting by the
processor
Compulsory.
Needed.
Useful.
provisions with regard to (other) follow-up mechanisms Compulsory.
Needed.
Useful.
provisions with regard to retention of the (personal) data during and
at the end of the agreement
Compulsory.
Needed.
Useful.
provisions creating an incentive for compliance with data protection
or enhancing the enforcement of data protection, e.g. rewards,
sanctions (data protection = material breach and uncapped liability),
etc.
Compulsory.
Needed.
Useful.
clear provisions on the liability of the parties with regard to issues
relating to data processing operations (e.g. data leakage)
Compulsory.
Needed.
Useful.
a governance framework for events and incidents such as data
breaches and requests by data subjects
Compulsory.
Needed.
Useful.
a provision to grant the data subject third party beneficiary rights Compulsory.
@TommyVandepitte
@TommyVandepitte
17
18. DPCC – Outsourcing - Paper
@TommyVandepitte
against the processor Needed.
Useful.
Intermediary conclusion:
All typical provisions are strongly implemented in the existing agreement.
All compulsory and needed provisions are strongly implemented in the existing agreement.
All compulsory provisions are strongly implemented in the existing agreement, the needed provisions however are not.
Some minor improvements are possible to the existing agreement.
Some major improvements are possible to the existing agreement.
Some major improvements are needed to the existing agreement.
Some major improvements are urgently needed to the existing agreement.
There is no existing agreement.
Conclusion
The contractual framework, as investigated, is robust.
The contractual framework, as investigated, is subject to minor improvements, namely: <…>
The contractual framework, as investigated, is subject to major improvements, namely: <…>
Comments
-
@TommyVandepitte
@TommyVandepitte
18
19. DPCC – Outsourcing - Paper
@TommyVandepitte
Follow-up of the processor
The controller that uses the services of the processor should have a procedure in place to follow-up
In what way is assurance acquired on the proper handling of personal and/or customer data?
Suggestions
Check the agreement for audit rights or other elements of assurance.
Check with the contact / procurement officer / relationship manager for the processor how he/they follow-up on the processor and in particular the data
protection practice at the processor.
. Follow-up mechanisms on an individual level (controller – processor)
Mechanism Foreseen Basis Used in fact Periodicity
Day-to-day cooperation with the service provider No.
Yes.
Agreement.
Practice.
Goodwill of processor.
Other.
No.
Yes.
Monthly.
Quarterly.
Yearly.
Other.
Scrutiny of deliverables, quality control No.
Yes.
Agreement.
Practice.
Goodwill of processor.
Other.
No.
Yes.
Monthly.
Quarterly.
Yearly.
Other.
Follow-up of milestones and deadlines No.
Yes.
Agreement.
Practice.
Goodwill of processor.
Other.
No.
Yes.
Monthly.
Quarterly.
Yearly.
Other.
W(h)ine and dine No.
Yes.
Agreement.
Practice.
Goodwill of processor.
Other.
No.
Yes.
Monthly.
Quarterly.
Yearly.
Other.
Periodic (formal) follow-up meetings, one-on-1 No. Agreement. No. Monthly.
Quarterly.
@TommyVandepitte
@TommyVandepitte
19
20. DPCC – Outsourcing - Paper
@TommyVandepitte
Yes. Practice.
Goodwill of processor.
Other.
Yes. Yearly.
Other.
Periodic (formal) follow-up meetings, joint with other customers of the processor No.
Yes.
Agreement.
Practice.
Goodwill of processor.
Other.
No.
Yes.
Monthly.
Quarterly.
Yearly.
Other.
Escalation procedure No.
Yes.
Agreement.
Practice.
Goodwill of processor.
Other.
No.
Yes.
Monthly.
Quarterly.
Yearly.
Other.
Service Level (exception) reporting by the processor No.
Yes.
Agreement.
Practice.
Goodwill of processor.
Other.
No.
Yes.
Monthly.
Quarterly.
Yearly.
Other.
Questionnaires to be answered by the processor No.
Yes.
Agreement.
Practice.
Goodwill of processor.
Other.
No.
Yes.
Monthly.
Quarterly.
Yearly.
Other.
Assurance delivered by the internal audit of the processor (free format) No.
Yes.
Agreement.
Practice.
Goodwill of processor.
Other.
No.
Yes.
Monthly.
Quarterly.
Yearly.
Other.
Assurance delivered by an external, independent auditor appointed by the processor
(free format)
No.
Yes.
Agreement.
Practice.
Goodwill of processor.
Other.
No.
Yes.
Monthly.
Quarterly.
Yearly.
Other.
Assurance delivered by the internal audit of the processor (template of the controller) No.
Yes.
Agreement.
Practice.
No.
Yes.
Monthly.
Quarterly.
@TommyVandepitte
@TommyVandepitte
20
21. DPCC – Outsourcing - Paper
@TommyVandepitte
Goodwill of processor.
Other.
Yearly.
Other.
Assurance delivered by an external, independent auditor appointed by the processor
(template of the controller)
No.
Yes.
Agreement.
Practice.
Goodwill of processor.
Other.
No.
Yes.
Monthly.
Quarterly.
Yearly.
Other.
KPI measurement and reporting thereon by controller No.
Yes.
Agreement.
Practice.
Goodwill of processor.
Other.
No.
Yes.
Monthly.
Quarterly.
Yearly.
Other.
Audit on the premises by controller’s audit team No.
Yes.
Agreement.
Practice.
Goodwill of processor.
Other.
No.
Yes.
Monthly.
Quarterly.
Yearly.
Other.
Follow-up of and reaction to incidents at the processor No.
Yes.
Agreement.
Practice.
Goodwill of processor.
Other.
No.
Yes.
Monthly.
Quarterly.
Yearly.
Other.
Control on the budget for the services, including invoice control No.
Yes.
Agreement.
Practice.
Goodwill of processor.
Other.
No.
Yes.
Monthly.
Quarterly.
Yearly.
Other.
Follow-up of the financial situation of the service provider based on public information No.
Yes.
Agreement.
Practice.
Goodwill of processor.
Other.
No.
Yes.
Monthly.
Quarterly.
Yearly.
Other.
Follow-up of the financial situation of the service provider based on non-public
information
No.
Yes.
Agreement.
Practice.
No.
Yes.
Monthly.
Quarterly.
@TommyVandepitte
@TommyVandepitte
21
22. DPCC – Outsourcing - Paper
@TommyVandepitte
Goodwill of processor.
Other.
Yearly.
Other.
. Follow-up mechanisms on a multilateral level (processor to multiple controllers, including the controller in scope)
Service Level (exception) reporting No.
Yes.
Agreement.
Practice.
Goodwill of processor.
Other.
No.
Yes.
Monthly.
Quarterly.
Yearly.
Other.
KPI measurement and (issue) reporting thereon No.
Yes.
Agreement.
Practice.
Goodwill of processor.
Other.
No.
Yes.
Monthly.
Quarterly.
Yearly.
Other.
Control on the overall budget No.
Yes.
Agreement.
Practice.
Goodwill of processor.
Other.
No.
Yes.
Monthly.
Quarterly.
Yearly.
Other.
. Follow-up mechanisms on an group governance level (in case the processor is a member of the group of the controller)
Information Security reporting on the processes as such No.
Yes.
Agreement.
Practice.
Goodwill of processor.
Other.
No.
Yes.
Monthly.
Quarterly.
Yearly.
Other.
Audit assurance on the processes as such No.
Yes.
Agreement.
Practice.
Goodwill of processor.
Other.
No.
Yes.
Monthly.
Quarterly.
Yearly.
Other.
Statistical analysis of the operations (e.g. throughput time, access to tools, etc.) No. Agreement. No. Monthly.
@TommyVandepitte
@TommyVandepitte
22
23. DPCC – Outsourcing - Paper
@TommyVandepitte
Yes. Practice.
Goodwill of processor.
Other.
Yes. Quarterly.
Yearly.
Other.
Is it clear who has to follow-up the processor?
No.
Yes for all follow-up mechanisms.
Yes for some follow-up mechanisms. Not for the following <…>
* * *
Is it clear how the assurance or lack thereof has to be handled? Is it clear what has to be done in case of the absence of assurance or the reception of a
notification indicating a security incident?
No.
Yes for all follow-up mechanisms.
Yes for some follow-up mechanisms. Not for the following <…>
Conclusion
Follow-up of the processor is robust.
Follow-up of the processor is subject to minor improvements.
Follow-up of the processor is subject to major improvements.
Comments
-
@TommyVandepitte
@TommyVandepitte
23
24. DPCC – Outsourcing - Paper
@TommyVandepitte
References
Suggestions: Keep these lists in a spreadsheet and insert/embed the final spreadsheets in this annex.
Note: The prefilled fields are just examples of content in these reference document. Modification to
internal procedures and factual situation is needed.
Activity Log
Date Activity Status Who? Remark
Intake interview with xxx
Interview with xxx
Questionnaire xxx sent out to xxx
Response to questionnaire xxx received
from xxx
Process diagram xxx received from xxx
Walkthrough process xxx
Document request for xxx
Document xxx received from
Draft report sent to xxx
Feedback interview with xxx
Final report
Final report sent out
@TommyVandepitte
@TommyVandepitte
24
25. DPCC – Outsourcing - Paper
@TommyVandepitte
Documentation received
Category Document Date request Date receipt Source
Selection RFI
Selection Responses of the processor (winning
candidate) to the RFI
Selection RFP
Selection Responses of the processor (winning
candidate) to the RFP
Selection BOFA of the processor (winning
candidate)
Selection Memo for the decision taker(s)
Selection Certificates relevant for data protection of
the processor provided in the selection
process
Selection SOC 1 audit assurance dated xxx
Selection SOC 2 audit assurance dated xxx
Agreement Agreement(s) with processor (incl.
annexes, schedules and appendices)
Agreement Amendment(s) to the agreement with the
processor
Follow-up SOC 1 audit assurance dated xxx
Follow-up SOC 2 audit assurance dated xxx
Follow-up Periodic checkup report by outsourcing
manager (controller side) dated xxx
Follow-up List of issues with the processor, whether
or not escalated dated xxx
Follow-up Periodic reporting by processor dated
xxx
@TommyVandepitte
@TommyVandepitte
25
26. DPCC – Outsourcing - Paper
@TommyVandepitte
Interviews & Questionnaires
Category What? Document Date Source
Selection Questions for procurement department
Selection Questionnaire completed by
procurement department
Selection Report interview with procurement
department
Agreement Questions for the lead negotiator of the
agreement
Agreement Questionnaire completed by lead
negotiator of the agreement
Agreement Report interview with lead negotiator of
the agreement
Follow-up Questions for procurement department
Follow-up Questionnaire completed by
procurement department
Follow-up Report interview with procurement
department
Follow-up Questions for department accountable
for the outsourced data processing
operation
Follow-up Questionnaire completed by procu
department accountable for the
outsourced data processing operation
Follow-up Report interview with department
accountable for the outsourced data
processing operation
@TommyVandepitte
@TommyVandepitte
26