They Are Asking For What?
In the preparation for GDPR and the UK refresh of the Data Protection Act it seems that some organisations, especially government departments and public bodies are asking some very awkward questions.
- Assurances, pledges, loyalty oaths that an organisation is 'GDPR' ready.
- Copies of the organisation's policies and procedures relating to GDPR
- Claiming a right of audit
- Contractually requiring agreement and proof of deletion,'forgetting' and, or returning of data.
- Contractual requirements which duplicate or place the burden of handling personal data provided to the organisation, by the contracting party.
There are probably others going the rounds as well. Prefacing what I'm going to say with IANAL (I am not a lawyer) it makes sense to apply some rationality to this and maintain the proper borders between organisations. In general I do not believe that anyone has to promise to any one else, including the Government that they are going to obey the law. Extra contractual conditions won't provide any kind of indemnity to either party, remember that organisations that supply data have a duty of care to both the owners of the data (individuals), and whoever they share it with, that they indeed have the necessary permissions. There could potentially be a lot of 'indemnities' swapped around. But of course they mean nothing.
The same really holds true on being asked for copies of policies, procedures or even implementations. This isn't new behaviour there are some companies that seem to love forcing their own procedures down suppliers or even customer's throats. Being asked for the details of ISO 27001, the procedures for generating, holding and rotating keys and so on. Each one of these requests can be managed with a blanket 'We maintain and regularly review our policies in this and other areas in the light of Best practice and Regulatory conditions applicable at the time, this includes any legal requirements. The specifics of our policies, procedures and implementations are naturally commercially sensitive and are not to be shared.".
This is especially true over a right of audit. Unless the specifics of handling data can be entirely separated by supplier or third party it would be very difficult to allow third party audit without also exposing other data to which they had no reasonable access.
The last two points, contractually requiring or appearing to place the burden of performing the mandated deletion or forgetting of personal data, are going to be awkward for both supplier, third party and the owner of the data themselves. No organisation is going to want to have the unmitigated risk of a third party not being able to effectively delete or forget the data they've had, but this in no way absolves the data collecting company from their own obligations. There are practicalities around the deletion and forgetting of data which can mitigate some of the risk but first think about the shared risk of a collecting company and third parties that they may use to process,transform or manage that data for them. Those third parties are not just companies like Cambridge Analytica (who never needed identified information anyway), but any kind of service or processing organisation, lawyers, accountants, consultancies, outsourcing IT, off shoring, marketeers, job services, SaaS applications, on and on. All of them will have a shared risk.
Unlike Operational Risks, Business Risks should be singletons. If there isn't one policy, procedure, implementation in place, but many and those are determined by contract; there will be failure. The decision tree for making this sane is fairly obvious but there's a couple of things that might not be.
- This is a Trust process so be transparent about what can be transparent, and transparent about where the borders are.
- Ask the same Transparency of your Supplier, Customer etc
- Eliminate the possibility of being able to use aggregated data before exploring needing to share Personal Data.
- Still before sharing Personal Data explore thoroughly pseudonymous data (really)
- Before giving access to Personal Data explore the options of Escrow, the only copy of the data is managed possibly by one third party whose business is providing this service and has no interest in the data itself. (Just like any other Due Diligence process between two or more parties).
- If you do have to share data do not (that should be in CAPS), DO NOT ship data but control access. This can even work for the 3rd party processor if they have to take the data set. But they don't do they?
- Deletion, Forgetting and Archive. Agree what they mean before you start doing this at all.
On the last point, which I want to elaborate on in lots of detail one day soon, it's important to not get bound up in definitions of Deletion, Forgetting and Archive that require adjusting the laws of Physics. The regulation so far, describes all of these states in terms of availability to the 'System' and access or use. Those are the states to concentrate upon. There are complications relating to Archive and legacy systems of many years standing but there are also ways of handling them.