This initial investigation was triggered by guidance that was released by the ICO in the UK, that insists that processors must allow audit and inspection rights to their controllers in their contractual terms.
In the GDPR , Article 28.3.h states:
That contract or other legal act shall stipulate, in particular, that the processor:
makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
I have worked for a number of large processors and directly dealt with the thorny issue of audit rights in my past. This looks like an additional cost for processors that they cannot charge the controller for or avoid with interesting language inserted in the contract.
There appears to be no wiggle room for the processor from the text of Article 28.3.h. No floury language like, “where appropriate”.
Historically, there were and are currently, many ruses to ensure that the opportunity for audit of your security controls is not directly allowed. A common theme is to bat this away, by ensuring that the work you do is covered by a security certification like ISO 27001. Here the external audit will be undertaken on your behalf, and we don’t have to bother with anything else.
The last thing that a processor wants is a controller turning up at short notice (30 days was a common threshold insisted upon to allow time to prepare for a customer audit). The reality is that to host such an event by the processor is an extremely costly and time consuming task. Fortunately, it is likewise for the controller. As a result, very few real audits get undertaken unless there is significant pressure from some direction. After all, everyone’s margin is being wasted as far as the accountants are concerned.
But the wording of the Article 28.3.h allows the controller to insist on “inspections”. So what can we do as an “inspection” that is not the same cost scale as a full audit. Well, I think we can get away with pretty much anything in the name of compliance with the GDPR.
So how creative can we get?
The Processor must comply with requests from the controller to audits or inspections.
I think the answer here is pretty much anything that you could currently consider to be within the scope of security assurance of third parties can be turned into an ongoing “inspection”.
Policies and procedures are obviously fair game. We can “inspect” them to ensure that the requirements we have placed on our data is being managed and implemented correctly.
How about a request to inspect the current state of your patch status across your estate? This can be provided as a report. Little cost to the controller. Little cost to the processor. It would be very relevant and enlightening.
How about an inspection of the current status of security controls as monitored by the processor? Sounds perfectly reasonable. And can we have that as a regular monthly report please?
Essentially anything that can be requested from the processor can be packaged as an inspection of their current security posture. You just have to place the request within the terms laid down by Article 28.3.h, and get a lawyer to draft the link between your request for information from the processor, and their legal requirement to comply with that request. A nice new clause to be added to your standard third party security schedule.
Ok. Third Party assurance has now been given some teeth to the extent that the processor can no longer refuse to provide the controller with this “inspection” information. Clearly the third party has to be processing personal data on the controller’s behalf to qualify, but that covers pretty much everyone.
So what should I ask for?
In theory, there is nothing to stop you asking for a summary set of monthly reports that detail the processors current security position on any of the standard security controls.
- Access Control (any metrics collected by the processor)
- Vulnerability Management (patch status across the estate)
- Anti-virus alerts or engine update statistics
- DLP alerts for any controller specific requests
Could we get away with defining a monthly inspection report that the processor has to provide to satisfy the requirements of their contractual commitments?
I think this is very possible. And it would require the processor to expose the reality of their internal security position to the controller.