Why Is Sub-Processor Due Diligence Important Under Data Protection Law?

In our data-heavy world, companies often engage third parties to process personal data on their behalf. Often, a data processor will engage third-party ‘sub-processors’ to process specific personal data on behalf of a data controller (usually their customer). Several legal rules will apply under the stringent UK GDPR data protection law regime in this case. Due diligence is vital for a data processor to comply with data protection law, as it helps ensure that a sub-processor will fully safeguard a controller’s data. This article will explore sub-processor due diligence and why it is essential under data protection law. 

What Does Sub-Processing Mean?

UK GDPR compliance requires a thorough understanding of the dynamic between data controllers and processors. 

Data controllers decide how and why personal data is processed. Processors, acting on their behalf, carry out the specific instructions of the controllers. 

Processors may also involve additional ‘sub-processors’ for specific reasons, creating a data processing chain. 

Examples of data sub-processors include cloud service providers, such as Microsoft Azure or Amazon Web Services. Their services can be crucial for businesses. 

What Is Sub-Processor Due Diligence?

Under data protection law rules, data processors have a huge responsibility to ensure the security and safety of personal data when involving sub-processors. This requires careful due diligence on any third-party sub-processors brought into the data processing chain. 

GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

Selecting a sub-processor carries significant risks. To protect themselves from liability, processors must evaluate potential sub-processors to ensure compliance with UK GDPR and enter into a robust sub-processing agreement. 

Due diligence involves investigating factors such as their strategies for preventing unauthorised data processing and loss, their technical security protocols, procedures for data destruction, internal controls for managing data security risks, and employee training. 

Why Is Sub-Processor Due Diligence Important?

Sub-processor due diligence is vital for many reasons, including:

• a processor will be fully liable to the ultimate controller for the sub-processor’s compliance with UK GDPR with respect to processing the controller’s data. If a sub-processor is at fault, the controller could claim against the processor for their omissions;
• commercially, using a poor sub-processor could result in reputational damage for a processor. For instance, the controller customer may not want to work with a processor again if their sub-processor has caused problems, such as a data breach due to poor data security;
• controllers must give prior authorisation for the use of sub-processors. In some cases, controllers will need to provide specific approval of a sub-processor. Robust due diligence and strong evidence of good data practices can help convince a controller to approve a particular sub-processor; and
• generally, due diligence and documenting such efforts can help demonstrate accountability and UK GDPR compliance. 

Processors should thoroughly document their due diligence procedures, regularly conduct audits or reviews, and maintain comprehensive records of all data categories processed by sub-processors. These records should be readily accessible for data protection regulators upon request.

What Should Sub-Processor Due Diligence Involve?

Due diligence by a processor should assess how the sub-processor adheres to UK GDPR compliance, including questions such as: 

• Is the sub-processor and its business activities UK GDPR compliant?
• Does the sub-processor have appropriate technical and security measures to protect personal data? Are those measures sufficient for the data processing projects, e.g. if the data is high-risk?
• Can the sub-processor comply with the same processing terms you agreed upon with the ultimate controller? You will need to ‘flow down’ your obligations to the sub-processor. 
• Is there any risk of a data breach by the sub-processor?
• What processes and policies do they have in place for destroying personal data?
• Do they provide training to their staff who will handle personal data?

These are some key questions you should consider during your initial due diligence. However, once you have signed a contract with them, you should continue to review their performance by conducting regular audits and reviews to ensure they comply with their contractual obligations. 

Overall, due diligence will enable you to select appropriate sub-processor partners you can trust and rely upon. 

Key Takeaways

Sub-processor due diligence ensures compliance with data protection laws, particularly under the stringent UK GDPR regime. As companies commonly procure third-party sub-processors to handle personal data, verifying that these third-party businesses will safeguard the personal data entrusted to them becomes vital.  

Sub-processor due diligence involves assessing various factors, including the sub-processor’s compliance with UK GDPR principles, their technical and security measures, and their ability to adhere to processing terms agreed upon with the controller. 

Due diligence helps mitigate risks such as data breaches and ensures that sub-processors align with the controller’s obligations. By conducting thorough due diligence and ongoing reviews, processors can select reliable sub-processor partners and demonstrate a proactive approach to data protection, helping to foster trust and compliance within the data processing chain.

If you need advice on UK GDPR compliance and appointing a sub-processor, contact LegalVision’s experienced IT lawyers as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.