How to Demonstrate Compliance With GDPR Article 28

UK GDPR Version

Processor

1. Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
2. The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.
3. Processing by a processor shall be governed by a contract or other legal act under domestic law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that the processor:
• (a) Processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by domestic law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
• (b) Ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• (c) Takes all measures required pursuant to Article 32.
• (d) Respects the conditions referred to in paragraphs 2 and 4 for engaging another processor.
• (e) Taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III.
• (f) Assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor.
• (g) At the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless domestic law requires storage of the personal data.
• (h) Makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
   
  With regard to point (h) of the first subparagraph, the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other domestic law relating to data protection obligations.
4. Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in paragraph 3 shall be imposed on that other processor by way of a contract or other legal act under domestic law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Regulation. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor’s obligations.
5. Adherence of a processor to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate sufficient guarantees as referred to in paragraphs 1 and 4 of this Article.
6. Without prejudice to an individual contract between the controller and the processor, the contract or the other legal act referred to in paragraphs 3 and 4 of this Article may be based, in whole or in part, on standard contractual clauses referred to in paragraph 8 of this Article, including when they are part of a certification granted to the controller or processor pursuant to Articles 42 and 43.
7. The Commissioner may adopt standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article.
8. The contract or the other legal act referred to in paragraphs 3 and 4 shall be in writing, including in electronic form.
9. Without prejudice to Articles 82, 83 and 84, if a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing.

Technical Commentary

GDPR Article 28 deals with 8 constituent areas, that govern how data processing activities may be outsourced to third party service providers:

1. The minimum requirements needed in order to use a service provider.
2. Further engagement by other processors, once the service provider has been engaged with.
3. The need for a legally-binding, written contract.
4. Sub-processing (sub-contracting).
5. Codes of conduct.
6. Contractual clauses.
7. Form requirements.
8. Legal consequences following a breach of contract.

ISO 27701 Clause 5.2.1 (Understanding the Organisation and Its Context) and EU GDPR Article 28

In this section we talk about GDPR Articles 28 (10), 28 (5) and 28 (6)

Organisations need to undergo a mapping exercise that lists both internal and external factors relating to the implementation of a PIMS.

The organisation needs to be able to understand how it’s going to achieve its privacy protection outcomes, and any issues that stand in the way of safeguarding PII should be identified and addressed.

Before attempting to address privacy protection and implement a PII, organisations need to first gain an understanding of their obligations as a singular or joint PII controller and/or processor.

This includes:

1. Reviewing any prevailing privacy laws, regulations or ‘judicial decisions’.
2. Taking into account the organisation’s unique set of requirements relating to the kind of products and service they sell, and company-specific governance documents, policies and procedures.
3. Any administrative factors, including the day-to-day running of the company.
4. Third party agreements or service contracts that have the potential to impact upon PII and privacy protection.

ISO 27701 Clause 6.12.1.2 (Addressing Security Within Supplier Agreements) and EU GDPR Article 28

In this section we talk about GDPR Articles 28 (3)(b), (1), (3)(a), (3)(b), (3)(c), (3)(d), (3)(e), (3)(f), (3)(g) and (3)(h)

When addressing security within supplier relationships, organisations should ensure that both parties are aware of their obligations towards privacy information security, and one another.

In doing so, organisations should:

• Offer a clear description that details the privacy information that needs to be accessed, and how that information is going to be accessed.
• Classify the privacy information to be accessed in accordance with an accepted classification scheme (see ISO 27002 Controls 5.10, 5.12 and 5.13).
• Give adequate consideration to the suppliers own classification scheme.
• Categorise rights into four main areas – legal, statutory, regulatory and contractual – with a detailed description of obligations per area.
• Ensure that each party is obligated to enact a series of controls that monitor, assess and manage privacy information security risk levels.
• Outline the need for supplier personnel to adhere to an organisation’s information security standards (see ISO 27002 Control 5.20).
• Facilitate a clear understanding of what constitutes both acceptable and unacceptable use of privacy information, and physical and virtual assets from either party.
• Enact authorisation controls that are required for supplier-side personnel to access or view an organisation’s privacy information.
• Give consideration to what occurs in the event of a breach of contract, or any failure to adhere to individual stipulations.
• Outline an Incident Management procedure, including how major events are communicated.
• Ensure that personnel are given security awareness training.
• (If the supplier is permitted to use subcontractors) add in requirements to ensure that subcontractors are aligned with the same set of privacy information security standards as the supplier.
• Consider how supplier personnel are screened prior to interacting with privacy information.
• Stipulate the need for third-party attestations that address the supplier’s ability to fulfil organisational privacy information security requirements.
• Have the contractual right to audit a supplier’s procedures.
• Require suppliers to deliver reports that detail the effectiveness of their own processes and procedures.
• Focus on taking steps to affect the timely and thorough resolution of any defects or conflicts.
• Ensure that suppliers operate with an adequate BUDR policy, to protect the integrity and availability of PII and privacy-related assets.
• Require a supplier-side change management policy that informs the organisation of any changes that have the potential to impact privacy protection.
• Implement physical security controls that are proportional to the sensitivity of the data being stored and processed.
• (Where data is to be transferred) ask suppliers to ensure that data and assets are protected from loss, damage or corruption.
• Outline a list of actions to be taken by either party in the event of termination.
• Ask the supplier to outline how they intends to destroy privacy information following termination, or of the data is no longer required.
• Take steps to ensure minimal business interruption during a handover period.

Organisations should also maintain a register of agreements, that lists all agreements held with other organisations.

Supporting ISO 27002 Controls

• ISO 27002 5.10
• ISO 27002 5.12
• ISO 27002 5.13
• ISO 27002 5.20

ISO 27701 Clause 6.15.1.1 (Identification of Applicable Legislation and Contractual Requirements) and EU GDPR Article 28

In this section we talk about GDPR Articles 28 (1), (3)(a), (3)(b), (3)(c), (3)(d), (3)(e), (3)(f), (3)(g) and (3)(h)

Organisations should conform to legal, statutory, regulatory and contractual requirements when:

1. Drafting and/or amending privacy information security procedures.
2. Categorising information.
3. Embarking upon risk assessments relating to privacy information security activities.
4. Forging supplier relationships, including any contractual obligations throughout the supply chain.

Organisations should follow procedures that allow them to identify, analyse and understand legislative and regulatory obligations – especially those that are concerned with privacy protection and PII – wherever they operate.

Organisations should be continually mindful of their privacy protection obligations whenever entering into new agreements with third-parties, suppliers and contractors.

When deploying encryption methods to bolster privacy protection and safeguard PII, organisations should:

• Observe any laws that govern the import and export of hardware or software that has the potential to fulfil a cryptographic function.
• Provide access to encrypted information under the laws of the jurisdiction they are operating within.
• Utilise three key elements of encryption:
1. Digital signatures.
2. Seals.
3. Digital certificates.

Supporting ISO 27002 Controls

• ISO 27002 5.20

ISO 27701 Clause 7.2.6 (Contracts With PII Processors) and EU GDPR Articles 28(3)(e) and 28(9)

Organisations need to outline the details of any joint PII processing arrangement, with an accompanying PII controller – this includes general protection measures and all associated security requirements.

Roles and responsibilities need to be clear and unambiguous, and outlined in a legally-binding document (sometimes called a ‘data sharing agreement’).

Agreements can include (among other measures):

• Why PII is being shared.
• Data categories.
• A general overview of the PII processing operation.
• Any relevant roles and responsibilities.
• How privacy information security is to be governed.
• What actions are to be taken in the event of a data breach.
• How PII is to be retained, and destroyed when no longer needed.
• What occurs when either party is in breach of agreement.
• What either party’s obligations are to PII principals.
• What mechanisms are in place to provide PII principals with applicable details of the joint agreement.
• How PII principals can make official requests, and how to formulate and deliver a response.
• Points of contact – both internally and for PII principals to utilise.

ISO 27701 Clause 8.2.1 (Customer Agreement) and EU GDPR Article 28

In this section we talk about GDPR Articles 28 (3)(e) and 28 (3)(f) and 28 (9)

Customer contracts should include:

• The concept of ‘privacy by design’ (see ISO 27701 Clauses 7.4 and 8.4).
• How the organisation intends to achieve security of processing.
• How breaches are to be reported, including customer, principals and regulatory authorities.
• How Privacy Impact Assessments are to be dealt with.
• Confirmation of the organisation’s intention to provide assistance to PII protection authorities.

Supporting ISO 27701 Clauses

• ISO 27701 7.4
• ISO 27701 8.4

ISO 27701 Clause 8.2.2 (Organization’s Purposes) and EU GDPR Article 28 (3)(a)

Contracts should include SLAs relating to mutual objectives, and any associated time scales that they need to be completed within.

Organisations should acknowledge their right to choose the distinct methods that are used to process PII, that lawfully achieve what the customer is looking for, but without the need to obtain granular permissions on how the organisation goes about it on a technical level.

ISO 27701 Clause 8.2.4 (Infringing Instructions) and EU GDPR Article 28 (3)(h)

Organisations need to maintain a thorough working understanding of how instructions have the potential to conflict with applicable legislation or regulatory obligations.

Infringements usually occur surrounding three factors.

1. How technology is being used.
2. The premise of the instruction.
3. Any contractual obligations.

ISO 27701 Clause 8.2.5 (Customer Obligations) and EU GDPR Article 28 (3)(h)

Organisations need to be able to provide their customers with sufficient information, so that that customers are able to fulfil their obligations at any given time.

The required information can incorporate a wide range of functions, but is usually related to internal audits, and the organisation’s role in facilitating them through the supply of information.

ISO 27701 Clause 8.3.1 (Obligations to PII Principals) and EU GDPR Article 28 (3)(h)

Controllers’ obligations are governed by three factors:

1. Legislation.
2. Regulation.
3. Contracts.

Contracts should include any information or technical operations that allow the organisation to fulfil its obligations as a controller.

ISO 27701 Clause 8.4.2 (Return, Transfer or Disposal of PII) and EU GDPR Article 28 (3)(g)

There are various scenarios that require the disposal of PII, including (but not limited to):

• Returning any PII to the customer.
• Providing the PII to another organisation.
• Destroying information.
• De-identification.
• Archiving.

Organisations need to provide categorical assurances that any PII which is no longer needed is going to be destroyed in accordance with any prevailing legislation or regional guidelines.

All disposal policies should be available to the customer on demand, and should cover the period of time that organisations have to destroy PII, once a contract has been terminated.

ISO 27701 Clause 8.5.4 (Notification of PII Disclosure Requests) and EU GDPR Article 28 (3)(a)

Organisations should draft a procedure that governs how PII principals are notified of legally-binding third party requests for their information, including a reasonable timeframe and a contractual stipulation that outlines the entire process.

Above all, organisations need to comply with the requests of law enforcement agencies, who have the right to request that the customer is not notified of any request, and ensure they don’t break any laws by accidentally or wilfully informing the customer of the situation.

ISO 27701 Clause 8.5.6 (Disclosure of Subcontractors Used to Process PII) and EU GDPR Articles 28 (2) and (28)(4)

All provisions for the use of subcontractors should be listed as such within the SLA/customer contract.

Information on subcontractors should include:

• The subcontractors name.
• Any countries that the subcontractor are able to transfer data to (see ISO 27701 Clause 8.5.2), so that the customer is able to inform any PII principals.
• How the subcontractor is expected to meet the needs of the organisation (see ISO 27701 Clause 8.5.7).

NDAs should be drafted to disclose any information that would represent a heightened security risk if publicly exposed.

Supporting ISO 27701 Clauses

• ISO 27701 8.5.2
• ISO 27701 8.5.7

ISO 27701 Clause 8.5.7 (Engagement of a Subcontractor to Process PII) and EU GDPR Articles 28 (2) and 28 (3)(d)

Organisations need to obtain written approval from their customers, prior to any PII being processed by a third party organisation.

Subcontractors should be subject a binding agreement (usually in the form of a written contract), which ensures that subcontractors understand their obligations towards implementing the controls listed in ISO 27701 Annex B.

Contracts should take into account various risk assessment processes (see ISO 27701 Clause 5.4.1.2), and the entire scope of the organisation’s PII processing operation (see ISO 27701 Clause 6.12). As above, all controls listed in Annex B should be adhered to, with any omissions listed, alongside the justifications for doing so.

Supporting ISO 27701 Clauses

• ISO 27701 5.4.1.2
• ISO 27701 6.12

ISO 27701 Clause 8.4 (Change of Subcontractor to Process PII) and EU GDPR GDPR Article 28 (2)

Whenever the need arises to change the way that the organisation outsources any element of its PII processing operation, customers should be informed of the changes well in advance in order to give them time to question or object to said changes.

Contracts should include clauses that cater for written authorisation from the customer to go ahead with the change, before any PII is processed.

Organisations may also seek approval for changes within ad-hoc written agreements, outside of any contractual terms.

Supporting ISO 27701 Clauses and ISO 27002 Controls

How ISMS.online Helps

Built to ISO 27701, aligned with other regulations.

With ISO 27701, you can create a Privacy Information Management System that complies with most privacy regulations. This includes the EU’s General Data Protection Regulation, BS 10012 and South Africa’s POPIA.

You can easily follow the international standard with our simplified, secure, and sustainable software.

The all-in-one platform we provide ensures your privacy work aligns with ISO 27701 and meets its requirements.

Find out more by booking a short 30 minute demo.