Blog By

Ms. Jane Ombiro, CIPP/E, CIPM, FIP

Data Protection Expert 

South-End Tech Limited

Date: August 29, 2024

Article 28(1) of the European Union General Data Protection Regulation (EU GDPR), 2016 mandates data controllers to only use processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject. The provisions of article 28(1), mirror section 42(2) (a) of the Kenyan Data Protection Act (KDPA), 2019.

In order to comply with the requirements of article 28(1) of the EU GDPR and section 42(2)(a) of the KDPA, controllers must conduct due diligence on vendors prior to entering into contractual relationships. Controllers must also continuously assess the vendors’ technical and organizational controls through regular audits of the vendor’s systems, policies, processes and procedures.

Only after conducting due diligence can a controller, determine whether a processor provides sufficient guarantees.

Controllers typically conduct due diligence by sending their ‘vendor assessment form’ to third parties for them to populate with the requisite information. The vendor assessment form should cover aspects of information security, data protection and privacy, human resource security, physical and environmental security, incident response plan, disaster recovery and business continuity plan. Where possible, processors should be mandated to provide evidence to support their responses.

When conducting due diligence on potential data processors, it is pertinent for controllers to consider some of the following.

1. Whether the processor has and implements data protection and information security policies
2. Whether the processor has been registered by the relevant Data Protection Authority
3. Whether the processor adheres to technology specific security standards such as ISO/IEC 27001
4. Whether the processor conducts regular security and privacy assessments
5. The physical and technical security controls implemented by the processor
6. The existence of confidentiality clauses in contracts between the processor and its employees who handle client personal data.
7. The existence of a Data Protection Officer (DPO) or an equivalent role within the processor organization
8. Whether the processor conducts regular data protection training on its employees who interact with client personal data.
9. The processor’s recovery time objective and recovery point objective.
10. If the processor is a software service provider such as a cloud storage service provider or an ERP service provider, the controller should consider whether it has a valid third-party cybersecurity/information security certification.

Failing to conduct due diligence prior to engaging the services of data processors amounts to a violation of article 28(1) of the EU GDPR and section 42(2)(a) of the KDPA. This violation can result in an administrative fine being imposed on data controllers by the relevant regulatory authorities.

 In the matter of Slane Credit Union (SCU) Limited, the Ireland Data Protection Commission, faulted Slan Credit Union Limited for failing to conduct due diligence on one of its processors. In this matter, the Data Protection Commissioner having reviewed the Final Inquiry Report and other materials provided to her, determined that there were three (3) issues in respect of which she had to make a decision.

This article is limited to issue number three (3) in which the Data Protection Commissioner was to determine whether Slane Credit Union Limited had infringed Article 28 (1) of the GDPR by failing to conduct due diligence on one of its processors.

In responding to the above issue, the Data Protection Commission stated inter alia “it is essential that due diligence is carried out to ensure that processors provide sufficient guarantees to implement appropriate technical and organizational measures for the protection of personal data, in line with Article 28(1). SCU have not provided any evidence that they carried out due diligence on the Processor in relation to the Processor’s data protection credentials, and based on the information collected during the Inquiry, it does not appear that the Processor did, in fact, put sufficient guarantees in place for the protection of personal data”

Controllers are thus advised to always conduct due diligence and regular assessments on processors because regulatory authorities use recital 74 of EU GDPR to hold them liable for processing carried out by processors. Recital 74 of the EU GDPR states that the responsibility and liability of controller for any processing of personal data carried out by the controller or on the controller’s behalf should be established.  

In conclusion, controllers must conduct due diligence and continuous assessment of its processors to confirm the appropriateness of the processors’ technical and organizational controls.  Compliance with this requirement may limit some of the controller’s liability in the event of a breach or non-compliance with data protection requirement on the processors’ part.

Please do not hesitate to contact us for your Cybersecurity and Data Protection Solutions and Service needs on the telephone at +254115867309 +254721864169; +254740196519; +254115867309 or email.

jombiro@southendtech.co.ke

dataprotection@southendtech.co.ke or info@southendtech.co.ke