How to quickly check client GDPR-compliance

Since the dual-event of the GDPR implementation deadline of May 25th 2018 and the enactment of the UK Data Protection Act 2018, a single question has been asked in a sometimes panicked tone: ‘Are we GDPR-compliant?’, writes Charlotte Gerrish of data protection and privacy advisory Gerrish Legal.  

While this is all well and good if you’re a limited company contractor, the focus shouldn’t only be on whether you have your own house in order for all things privacy-related, but also whether your clients are meeting their GDPR obligations.

'Data grumbles'

As we have seen in a recent poll, many companies are not actually up-to-speed. Evidence of this can also be found in the recent fines, investigations and statements by the ICO in respect of large organisations such as Dixons Carphone, Ticketmaster, BT and Yahoo. These are in addition to data grumbles about Facebook, Twitter and WhatsApp.

Indeed, many US-based companies were slow to kick-off their GDPR-compliance programs, in the belief that the GDPR was a European law, but they eventually realised that if they are offering goods or services in the EU or to EU data subjects, their commercial activities are caught by the GDPR.

As we have explored on Contractor UK previously, clients are usually acting as ‘data controllers’ of the personal data they handle and US tech companies and other multinationals are no exception to this rule. Contractors usually act as ‘data processors’ of their client data, since they are not making any decisions about that data on their own accord, and most of the time are operating within the strict instructions given to them by their clients. In this scenario, when acting as data processors, contractors have strict obligations that that they need to adhere to, as set out in Article 28 of the GDPR.

What IT contractors need to make sure of (cont.)

Despite this allocation of roles under the GDPR, contractors also need to make sure that their own clients are compliant with privacy laws. By checking data protection processes at the client-end, contractors will be better able to manage their own GDPR liability. This is particularly important if contractors will be handling personal data on behalf of their client’s as part of the contractor assignment. According to the mentioned poll, that challenge is likely to be acute if your client is a technology company.

So even though many of the companies that are emerging as not GDPR-compliant are the tech giants which are best-positioned to be prepared and equipped, the sheer scale of these organisations makes compliance a mammoth task. This means that, on occasion, they miss the mark -- so it is important for contractors working for these IT, Digital or Tech-focussed entities to protect themselves, as the contractor’s risk of liability in such businesses is potentially heightened.

We won’t insist on the importance of formalising your controller-processor obligations in this article, since we have covered that topic before. However – if your client says that a data processing agreement isn’t applicable or isn’t necessary when you are clearly in a controller-processor relationship, that is the first red-flag that your client is not GDPR-ready!

As contractors are rather up against it at the moment ('IR35,' anyone?), here’s three quick and easy but tactful questions for contractors to ask, if their end-users’ GDPR and data protection practices look lax.

1. ‘Can you tell me your journey?’

(or in writing -- ‘GDPR COMPLIANCE OVERVIEW’)

Any organisation with a credible GDPR compliance program should be able to share their GDPR journey with you – the data processor, or sub-processor.

This should include being able to supply you with:

• Information about the steps that they have taken towards GDPR-readiness.
• Whether or not they have appointed a Data Protection Officer (and if not, the justifications as to why not).
• Copies of their GPDR-compliant privacy policies.
• Evidence that any personal data you are processing as part of your contracting activities has been obtained and is being processed lawfully.

If you really want to spare their blushes, a good initial way of assessing your client’s GDPR compliance overview (if you don’t want to outrightly ask for it), could be by checking the client’s website. So online, you should look out for:

• Appropriate cookies wording
• Consent tick-boxes where appropriate.
• Hyperlinks to their GDPR-compliant privacy policies.

If this information is missing from your client’s website and/or is not readily available when requested from your client-contact, be warned that it is possible this client’s GDPR practices are wanting.

2. ‘Are we staying safe on our more exotic transfers?’

(or in writing-- ‘INTERNATIONAL TRANSFERS’)

The GDPR states that any processing of personal data carried on outside of the European Economic Area (EEA) in respect of EU data subjects is not permitted unless it is subject to certain safeguards (see Chapter V of the GDPR). These safeguards include transfers being carried out on the basis of:

• An adequacy decision i.e. when the European Commission rules that a non-EEA country offers the same level of data protection as an EU Member State – (NB so far, adequacy decisions exist for transfers of personal data to Andorra, Argentina, Canada [commercial organisations only], Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US [if subject to the Privacy Shield, see below].
• Binding corporate rules (BCRs).
• Standard contractual clauses adopted by the Commission (or when available, by a supervisory authority such as the ICO).
• An approved code of conduct or certification mechanism (when available).
• And for EU-US transfers, Privacy Shield Certification.

If your client is unable to justify the basis on which it relies for its non-EEA, international data transfers when asked, this is a red-flag that their GDPR compliance may not be up to standard.

3. ‘Perhaps ping the policies please?’

(or in writing – ‘IT SECURITY MEASURES’)

Articles 32 to 34 of the GDPR impose IT security measures on any organisation processing personal data of EU data subjects. Your clients are no exception!

Ask your clients for copies of their Cyber and IT Security policies. Such policies should include the technical and organisational measures they need to implement including:

• The pseudonymisation and encryption of personal data (Article 32(1)(a) GDPR).
• Their ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services (Article 32(1)(b) GDPR).
• Their ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident (Article 32(1)(c) GDPR).
• Their process for regularly testing, assessing and evaluating their Cyber and IT Security measures (Article 32(1)(d) GDPR).

Of course, while formal international standards and certifications are not (yet) formally required by the GDPR, if your client does have ISO 27001 certification, this is a good indication that their IT security complies with the GDPR requirements.

Not GDPR-compliant?

And finally contractors, what will you do if it appears that your client is not GDPR-ready?

Well, in order to reduce your exposure, it is always a good idea to note your concerns to them in writing in the first instance, and try to reach an amicable solution so that you feel comfortable that you will be providing your services in a GDPR-friendly environment.

However, the next step, especially if you notice significant data protection failings at your client, might include seeking appropriate indemnities in respect of GDPR liability caused by their failings to cover you in your contractor agreement. And also, by making sure that you (and your client) have appropriate insurance cover in place in the event of any data protection breach – especially in light of a high level of sanctions which can be applied for non-compliance. The ICO has suggested that it will be go easy on initial failings. But it’s taken a no-nonsense approach to the big companies of late, and the potential reputational damage of being seen as not GDPR-compliant is something all companies, irrespective of size, would be wise to avoid.
 

Editor’s Note: The author, Charlotte Gerrish, is the founding lawyer of Gerrish Legal, who has more than 10 years of legal experience at international law firms and companies in London advising on data protection and commercial law issues. This article is for guidance purposes only and does not constitute definitive legal advice.