Recent Guidelines issued by the EDPB hold that merely restating the provisions of Art. 28 GDPR within a Data Processing Agreement (“DPA”) will no longer suffice insofar as compliance with the GDPR is concerned. Rather, a DPA must also include detailed information as to the security measures adopted, as well as providing for a regular review of such measures. Here, the controller is obliged to assess on a case-by-case basis the type of processing entrusted to the processor while considering the nature, scope, context and purpose of such processing; this is deemed to be a form of risk-assessment.
The Guidelines stipulate several elements which should be considered to prove the sufficiency of the processor’s guarantees: the processor’s expert knowledge, reliability and resources. The processor’s reputation on the market may also be a relevant indicator. Adherence to an approved code of conduct or certification mechanism may also be used to demonstrate sufficient guarantees. Such demonstration is seen as an ongoing obligation and hence, the controller must verify such guarantees – including through audits and inspections – to ascertain continued compliance.
The Guidelines reiterate the need for information as to the security measures to be adopted, the processor’s obligation to obtain the controller’s prior approval before making changes and a regular review of security measures. The aim behind such requirements is to ensure the appropriateness with regards to risks which may evolve over time. While the Guidelines do not specify the extent to which such detail is to apply, it must be such to enable the controller to assess the appropriateness of measures pursuant to Art. 32(1) of the GDPR.
Hence, the details provided must be sufficient to allow the controller to assess the appropriate levels of security in relation to: pseudonymisation and encryption, ensuring ongoing confidentiality, restoring data in a timely manner and any processes to regularly test, assess and evaluate the effectiveness of such technical and organisational measures to secure processing. These descriptions are also necessary to establish the controller’s compliance with their duty of accountability, pursuant to Art. 5(2) and Art. 24 of the GDPR. Following this, there is also the processor’s obligation to assist the controller and make available all information necessary to demonstrate such compliance.
Since the above must be done on a case-by-case basis, one may not implement a one-size-fits-all approach. In certain cases, the controller may opt to provide a clear and detailed description of the security measures to be implemented; albeit no reference is made within the Guidelines to how low/high level such measures must be detailed. In other cases, the controller may describe the minimum-security objectives to be achieved, while requesting the processor to propose the means through which such implementation would occur. More often than not, processors would have already compiled their own standard policies detailing their security measures, and therefore in practice, controllers are advised to read through and check that such measures comply with the Guidelines, presumably by involving its technical and IT people.
The Guidelines emphasise the obligation of the controller to provide the processor with a description of processing activities, security objectives, as well as their approval of the processor’s proposed measures.
Overall, the Guidelines do not propose any tangible solution or any practical guidance on the level of detail required for processor security measures. Ultimately, the provision of such may not be possible when considering the myriad of possible processing scenarios. The Guidelines do, however, reiterate the need that such security measures be provided in a manner which would enable the controller to easily ascertain compliance with its obligations under the GDPR.