Brazil: Operationalising the LGPD: Part four - Vendor risk management
Once fully effective, Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD'), will require many organisations to take extra steps when dealing with vendors to whom data is shared as part of the use of such vendors' services. Alan Campos Elias Thomaz, Partner at AT Advogados, discusses various steps that can be taken to ensure adequate risk assessment in this regard.
In the last part of this series on the LGPD, this article intends to highlight some (but not all) of the measures used in vendor risk assessment and management.
From a privacy perspective, one of the goals of dealing with vendors is reducing both regulatory and reputational risks while sharing personal data with such a vendor. Although the LGPD does not specify which specific measures shall be adopted when engaging with a vendor, there are a few steps and strategies to adopt in the shared use of data with such third parties.
Before even engaging with a vendor, the organisation should have a clear picture of what privacy risks they might face in their activities. Such an assessment will help to identify the most strategic and practical actions to be implemented with vendors.
The first important step is knowing what laws regulate the use of personal data within the organisation. The LGPD is now known as the primary statute regulating the use (and the shared use) of personal data, but it is not the only law that governs the use of information and personal data. Other statutes may apply to the shared used of data in the context of vendors, such as specific regulations in the context of consumer relationships and those applicable to the financial and health sector. Such laws may impose particular obligations and limitations on the sharing of personal data, and while engaging with a vendor and assessing privacy risks, these requirements and rules should also be observed.
After mapping the applicable statutes, identifying the possible risks associated with the use, access, and storage of personal data will help to determine where a vendor could be possibly engaged or where the vendors are currently performing activities. By identifying where personal data is used, accessed, and stored and how the organisation or the business works, sufficient information should be available to assess the privacy risks and, as a consequence, the vendor's risk. If the organisation has not yet mapped where the personal data is, it should do so (what information is collected, their use purposes, systems, retention policies, etc.). Otherwise, the management of the vendor's risk assessment may not be effective.
If due diligence on vendors has not yet been conducted, the organisation should consider doing so. Due diligence should be performed on a risk-based approach, i.e. be undertaken in vendors that offer a higher exposure (including regulatory and reputational risk) first. In addition, if the organisation has a privacy governance program in place, the risks identified should be mapped in the context of such a program. Classifying the vendors based on risk and data-handling might be appropriate so that the organisation can closely monitor the vendors periodically.
Engaging with vendors
One of the most critical aspects to assess and manage vendors' risk is having good coordination with the key departments of the organisation. In many cases, those departments are responsible for engaging with the vendor, and they should be aware of relevant privacy risks. Organisations can determine the level of authority and oversight of each department.
Training these teams on how to identify privacy issues in vendors and establishing reporting obligations to the privacy team (or even making privacy a step of the vendor approval process) may be helpful to control the overall risk of using vendors. As a policy for engaging with a vendor, developing thresholds that require approval might be useful to avoid assuming unintentional or unforeseeable risks while engaging with such third parties.
Unlike the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') in the EU, the LGPD does not expressly require organisations (both as controllers or processors) to execute contracts when there is shared use of personal data with third parties, including the vendors. Sector-specific laws, such as those of the financial sector, may require the execution of a contract with vendors. However, although not expressly required in many cases, executing a contract with vendors may be highly recommended to mitigate privacy risks, mainly when the vendor is involved in activities of high risk to the organisation.
Generally, the LGPD (Article 42) establishes a joint liability regime for the shared use of personal data. Such liability may be limited in specific circumstances. For example, when the processing agent does not carry out the activity, and the damage was caused exclusively by the other party, liability might be excluded against third parties. In this case, having a contract to identify the responsibility of each party might be helpful. When the liability cannot be excluded by law, such an agreement may also establish a right to be indemnified when one party has not caused the damage.
Besides, the LGPD establishes the obligation for both controllers and processors to adopt technical and organisational measures in order to protect personal data from unauthorised use. Among other possibilities to comply with such a command, this provision may include an obligation to impose specific obligations on vendors when there is shared use of personal data.
Therefore, to mitigate the risks described above, organisations should include in their agreement with vendors specific roles and responsibilities concerning data protection, notably when the Privacy Impact Assessment demonstrated that such a processing activity implies a high risk to the organisation.
A few standard areas that might be covered in contracts with vendors are the following:
- each party's role concerning the processing of personal data;
- how the parties will share personal data and for what purposes the data will be used;
- which party is responsible for collecting the data subject's consent, where applicable;
- how the transparency obligation under the LGPD will be complied with, i.e. which party will make available information to the data subject;
- how the data subject's rights will be complied and who will handle the data subject's requests;
- if there is an international transfer of personal data and, if so, what mechanisms should be used to comply with the LGPD;
- what are the specific obligations and measures, from a technical and organisational perspective, that should be adopted by each of the parties to protect personal data against unauthorised access and accidental or unlawful situations of destruction, loss, alteration, communication, or dissemination;
- the obligation to notify the other party about incidents involving shared personal data;
- the duty to delete personal data during the contract and after the termination of the agreement, if applicable;
- what is the responsibility of each party to achieve compliance with the LGPD, including the contractual and non-contractual liability of the parties in relation to data protection, and, where appropriate, the indemnification against the one performing the processing in non-compliance with the LGPD;
- the commitment to establishing corporate policies to protect personal data;
- the right to audit the other party to verify compliance with the LGPD; and
- obligations for subcontracting a processing activity.
Ongoing monitoring and data incidents
After executing an agreement with a vendor, it might be recommended, based on risk and staffing availability, to periodically check the compliance of the vendor with applicable privacy and data protection provisions, both contractual and regulatory. Conducting technical audits may also be recommended in some instances.
In addition, having in place a data breach response plan is quite essential on both sides (i.e. both the organisation and its vendors) so that data incidents can be duly identified and handled, when necessary.
For more sophisticated privacy programs, conducting ongoing assessments, and populating the privacy KPIs on vendors' risk and management may be an essential tool for further development of a privacy governance program.
Organisations should have in place the thresholds to abandon an engagement with a vendor when compliance with privacy and data protection does not achieve a minimum level. In this case, knowing what happens, having a good agreement with the vendor, and an established procedure to know who makes the call to terminate may help. Again, educating business units on the importance of complying with data protection laws is crucial to understand when to terminate an agreement with a high-risk vendor.
As mentioned above, the LGPD establishes the obligation for both controllers and processors to adopt technical and organisational measures in order to protect personal data from unauthorised use. This provision also applies to the termination of an agreement with the vendor. Therefore, revoking access to personal data and certifying that such data is returned or destroyed is crucial. Also, to not affect the business operation, the organisation may need a transition clause to address how data will migrate from one vendor to another.
This article highlighted some (but not all) of the measures used in vendor risk assessment and management. As demonstrated above, having a risk assessment procedure, a policy to engage with vendors, privacy and data protection clauses, a monitoring procedure, and a termination policy might prove helpful when addressing privacy and data protection risks related to a vendor.
Alan Campos Elias Thomaz Partner
AT | Advogados, São Paulo