The media report on cyber incidents every day, as the victims become more prominent and more numerous. Many companies are increasingly aware that they need to invest more in IT security. At the same time, many are relying on their system house to take care of their needs, with the princuple „they’ll make sure nothing happens to us. Do you act according to this maxim?
If so, the person responsible for data processing in the company could still be hit with a painful fine in the event of a data protection breach if it is discovered that there is no order processing contract in place. The contract does justice to the data risk, especially with the description of the technical protection measures. Why?
Well, because the company that outsources IT only then sufficiently takes into account the legal requirements of the General Data Protection Regulation or the revised Data Protection Act. According to Art. 28 GDPR/Art. 5 DPO, commissioned processing applies if an entity processes personal data on behalf and on instruction. This is certainly the case with the external IT service provider. Only, why does the latter also have to act on the instructions of the controller? What does that mean?
From a data protection perspective, hospitals, industrial companies, banks, public municipalities or even public authorities process personal data with varying degrees of sensitivity: personal data consequently also differ in their individual, technical degree of protection. The responsible decision-maker must identify and assess the risks of personal data of patients, customers, suppliers, etc. on the basis of a risk analysis and protect them against loss, misuse and modification by unauthorized third parties with organizational and technical protective measures to be determined: protective measures such as encryption, pseudonymization, anonymization, etc. are considered for the integrity of the data, confidentiality is ensured with a rights and roles concept as access control for data and availability with redundancies of data carriers – to name just three examples. The decision on the means of action must not be delegated by the responsible decision-maker to the external IT service provider.
What must be done? If personal data is processed on behalf by other entities, the Principal is responsible for the data protection regulations. The contractor may only process the data within the scope of the client’s instructions. In such a case, both sides are obliged to conclude a so-called order processing agreement with listed protective measures attached. On the system house side, the right tools must also be available in the portfolio; the IT service provider may advise on the selection of these!
Examples for the conclusion of an order processing agreement are among others the external payroll accounting, the external accounting but also the use of multifunction printers in the network with storage function, but not the tax advisor or the lawyer!
The explanations are not exhaustive and the risk analysis and the order processing contract are also only two tasks of many that your data protection consultant will be happy to carry out for you with your support.