In this episode of the GDPR mini-webinar series Amar Singh and Chris Payne discuss the topic of incident response.
Download the free accompanying study sheet here.
Amar: Welcome to Cyber Management Alliance’s GDPR mini webinar series, the last of our series today. Great to be joined by Chris Payne, Managing Director of Advanced Cyber Solutions, and myself, Amar Singh. Thank you for joining us and this is a very, very contentious and interesting topic… third parties. Anyone listening in, anyone in cyber or non-cyber, would definitely agree third parties are a major risk, or rather even threat to a business. But they are very essential; we can't do without third parties. You have to outsource processes; you have to outsource services; so GDPR and the EU take an interesting view on third parties. Chris, how many types of third parties are there?
Chris: So, we were actually having this discussion earlier today and I think within the last ten years, the notion of Software-as-a-Service and all types of third party processing has become a relative norm. In fact, I would be surprised if there isn’t anybody out there with some kind of third party that they are working with. Under the GDPR, there’s essentially three different types of third parties; so, there's those that you work within your own European territories, so that’s anybody within the European Union or the EEA. There is then those that are outside of those regions; so, things like working with the US, working with Canada, but they are on a pre-approved list of countries that have data protection law which is adequate at the GDPR, or at least it seem to be. And then finally there is everybody else in the world. So, those are the three different categories of third parties.
Amar: And the EU does treat differently, obviously, the others but I think the primary objective here is to ensure that whoever you're outsourcing to is applying similar, if not hopefully better, controls then you are when it comes to protecting information, personal information. So, let's go with the data transfers, within the region, and let's talk about a little bit about EEA, but let’s go through what data transfers within the current economic and EU region are.
Chris: Yes. The GDPR’s main aim has always been to harmonise data protection rules throughout the EU and the EEA. So, the whole idea of it really is that if you have a processor or a third party within one of those regions, then you should have no restriction from having business activity with them. If you both got the same obligations placed on you, from a law perspective through the GDPR, then you should be able to work together. Obviously, all the expectations of the GDPR are still on you and your third party, so you still need to maintain high level of security. There is still an expectation of encrypting data at rest, ensuring that back communication between you and your third party is also protected. And, of course, all the other things that we have been speaking about in our previous webinars; so, data subjects rights, collecting data lawfully and transparently and, of course, notification for the supervisory authority, and possibly the data subjects, if something goes wrong as a breach.
Chris: Really, critically, one thing that needs to be differentiated between the previous Act, the Data Protection Act in the UK as it was known, and the GDPR is that liability in the event of the breach is shared amongst you and your processor, or possibly your third party processor. So, you need to make sure that when you are entering into contracts with your suppliers, your software service providers or any third party contractors, that you are ensuring that they are also complying with the GDPR because if they happen to suffer a breach with your personal data, or with your data subjects’ personal data, then you are both liable to the penalties for that.
Amar: Yes... In a nutshell, you have to demand from the third party better information on what they are doing on protecting personal information. What are the... about outside the EU?
Chris: Yes. So, obviously the GDPR respects the fact that we live in a globalised economy and the likelihood is that you probably will be engaging with service providers and third parties from outside of the EU and EEA. That’s respected and it’s understood and there are inclusions in the regulation for those scenarios. There is something called the Article 29 Working Party. Now, it’s a bit of a mouthful and I guess people wonder why it's given that name. Simply, it is a group that sits centrally and manages the GDPR, communicates with all the supervisory authorities and all the different regions, and it was brought about by a part of the regulation called Article 29. So, it just inherits the unfortunate name of being the Article 29 Working Party. The Article 29 Working Party, part of its task is to access data protection law in other parts of the planet and to produce a list, which you can refer to on the EU’s website - which I don’t have to hand but you can probably Google that - publish a list of territories around the world that have data protection laws that are equivalent or give guarantees in a similar way that the GDPR due to data subjects. So, currently on the list - we’ve got in the third bullet point here - are some countries, Andorra, Argentina, Canada, Faroe Islands, Guernsey - I won’t read through the whole list. You'll also see that the US is missing from that list currently now, but US is considered to be a country of safe data transfer. However, there is a bit of a back story to this which is worth exploring. Now, you’ll all probably remember something that was known as a Safe Harbour; that was the original legislation that was supposed to be providing data protection under the Data Protection Act, or data transfer to US third parties. That was deemed in October 2015 as not being sufficient. It was very quickly proposed that a replacement called the Privacy Shield was implemented. It was reviewed by the Working Party, Article 29, and they actually raised three points about Privacy Shields which they weren’t happy with. And again, that has been subsequently been revised and as of July 2016, the US has been considered a country that should be included on that list of safe data transfer. So, as it stands today, the US is a perfect place to send your personal data to. There are some concerns still around Privacy Shield but as it stands today legally, that is still is considered a safe third party location.
Amar: Yes, not going into some of the other names that are on that list. Some very interesting ones, some I’ve not even heard of them, but that’s a separate discussion for a different day. Yes, the privacy or the Privacy Shield is interesting story. Those who have haven't yet read about it should read about it as to what happened then and why Safe Harbour was struck down. But in the nutshell, there are some safe countries outside the EU and an organisation must be aware that if they are going to do business outside the EU, where those third party suppliers are located in these countries. If not, if your outsourcer, as they are many, who are not primarily located in the EU or the approved EU region, they have the non-approved locations, how do you manage that risk? Chris, what does the EU say specifically about this?
Chris: Yes, so, if we take a step back… when your third party is based within the EU or the EEA, you are expected to, in essence, question your supplier, I guess, on whether they are GDPR compliant, or the GDPR is effectively in force, peer-to-peer, in that sense. When you're working with an organisation that is based in one of the friendly countries, you are still expected to ask on how they adhere to it and have some kind of a proof that they do adhere; albeit probably local legislation or in the case of the US, probably Privacy Shield. There is still exception to be able to be working with third party suppliers that are within countries that are not on the approved list, and also not within the EU or the EEA, and the way that we essentially do this is to implement something called a Modal Binding Corporate Rule. Now, these already exist under the Data Protection Act and there is probably going to be some draft examples of these published by the Article 29 Working Party, or even your local supervisory authority, to assist you in this place. But it's nothing new and all it does is it sets out from a corporation to corporation perspective, as opposed to a local legislation perspective, the rights of your data subjects. So, you are essentially just enforcing the same principles from the GDPR but in this case on the corporate basis, not on a country-wide legislative basis.
Amar: I mean...
Chris: Really important, I think, in this case because we're talking about corporate law and we are not talking about territory or nation law, if you are engaging with a supplier outside of the EU, EEA or one of the safe countries in the list, you should definitely engage a corporate lawyer or a specialist in that area to help you draft up those laws.
Amar: Totally, totally… and to stress, as we always do, take professional legal advice and legal counsel on everything related to the GDPR. It’s a very new topic, there are many, many regulators themselves are seeking clarification. So this eight series are to bring you up to speed on the overall areas of GDPR. If you haven't seen the previous seven, please go to our BrightTalk channel or you can go to cm-alliance.com. But on the third party risk, third parties are a significant threat to a business in terms of exposing your business to the risk of data loss and when it comes to GDPR, there is no excuse anymore. If you need to save money, you must at the same time have all the necessary evidence, not just “Oh, it’s already happening, we are ISO certified.” No; I love ISO Certified, CM Alliance helps organisations become ISO Certified; however, if your third party tells you I am ISO Certified and you know, we have all, all of these certifications, that does not mean anything unless you have done your own due diligence and taken due care. So, do keep that in mind… having a certification does not mean an organisation is necessarily secure and does not mean much unless you understand what the scope of the certification is. We could go on and on but you know, third parties are a major threat. We can't get rid of them. We are all third parties in some way whatsoever. Make sure you would know who you are dealing with and understand what they are doing evidence-based approach. I want to thank Chris Payne, Managing Director of the Advanced Cyber Solutions, our resident GDPR expert also; and thank you everybody for listening in and keep checking back. Visit our BrightTalk channel for the previous series and new series that we are going to talk about. Chris, thank you so much.
Chris: Thank you