Over the last few decades, business has shifted from handshakes and local vendors to digital-ink signatures and machine-translated negotiations. This shift has allowed startups to go from unknown to unicorn overnight, and it has greatly extended the reach of modest companies with honest products; however, as a consequence of our digital marketplace, businesses of all sorts and sizes must be ready to handle expedient turnarounds and enormous volumes of information (i.e., “Big Data”) while maintaining a high quality of service.
Fortunately, it is easier than ever for niche companies to outsource certain tasks — and even entire departments — to highly specialized third parties. Unfortunately, the use of third parties can obfuscate the information pipeline, making it difficult for customers to know exactly where their personal data will go by signing up for a single service.
Controllers, Processors, and Subprocessors: Oh my!
To address the data privacy and security concerns of individuals living in an increasingly digital world, in 2016, the Parliament of the European Union (EU) passed the General Data Protection Regulation (GDPR). Although the GDPR must be upheld only when transacting with or processing the personal data of EU citizens, many companies have chosen to adhere to it when handling the data of citizens of non-EU countries as well. For this reason, the GDPR has been influential beyond its specified borders, affecting business operations around the globe.
To improve transparency into the ways in which companies gather, store, and process data, the GDPR defines the rights of the data controller (i.e., the party who decides how and why data is processed) and the obligations of the data processor (i.e., the party who processes data on behalf of the controller). In addition, it provides guidelines for handling cascading subcontracts, wherein a processor transfers data to subprocessors for certain tasks. The controller must provide written authorization before a subprocessor can be entrusted with data processing tasks, and even thereafter, the processor remains liable to the controller. Further, the processor must ensure that its subprocessors can uphold the same data protection requirements agreed upon in its contract with the controller.
To highlight how controllers, processors, and subprocessors are related, let’s suppose that you are a small business owner who sells trinkets. Your trinkets sell well, but they are only available in a small number of brick-and-mortar stores, and you rely on word of mouth to reach new customers. To expand the market for your trinkets, you want to build an eCommerce website; however, you have never built a website, and you do not know how to use one to grow your business.
Rather than staff a full-time marketing team, you (controller) decide to hire Company A (processor) to build your website, and as part of your agreement, Company A will provide marketing and web analytics services for one year after the website's launch. However, when you review the terms of your contract, you see that Company A uses several subprocessors: Company B for content creation and search engine optimization, Company C for web traffic data processing, and Company D for dashboard development; to make matters more convoluted, Company D uses Company E for dashboard hosting, and Company B hires freelancers via Company F.
At this point, you are not sure if you are hiring Company A or eating alphabet soup, but the sales representative at Company A assures you that all their subprocessors will maintain the level of service Company A outlined in the contract and that all subprocessors refer to the GDPR for guidance on data privacy and security. This explanation sounds promising, so you click here, there, and there to initial, initial, and sign.
Information Flow in Subprocessor Networks
Although the GDPR went into effect in 2018, subcontracting has been around for much longer; (for as long as there have been tasks to do, there have been ways to delegate those tasks to third parties). However, the distinction between subcontracting and sub-processing is important (not only because of the interconnectedness of the infosphere, but also because of the sensitive nature of certain data), and the GDPR did formalize the ways in which information processing tasks can be handled.
So when a controller signs an agreement that allows a processor to collect and manipulate their data, they are implicitly stating that they trust the processor (and all associated subprocessors) to keep their data safe. However, even if the security postures of the processors and subprocessors match the state of the art, security breaches can occur, and a breach at one company can have far-reaching effects. For example, in a highly connected network, a breach on several levels from the controller can have serious consequences, depending on the nature of the data obtained.
Although there are risks associated with large subprocessor networks, there are also significant benefits to third-party processing. For example, small or specialized companies can outsource auxiliary processing tasks while focusing on their bread and butter. Furthermore, for sensitive data processing tasks, such as those involving financial or health information, a custom solution is unlikely to meet the quality of a specialized third-party solution with a proven track record in that area. Finally, the use of subprocessors decentralizes a company’s data resources; therefore, even though there are more points of failure, each point likely has fewer pieces of the puzzle.
We're Here to Help
Transparency around data processing is an important aspect of building trust with customers. Therefore, companies that outsource processing tasks involving customer data should ensure that processor information, such as the location and purpose of processing, is readily available. With Trustpage, you can easily add data processors to your company's trust center to allow customers to see why and with whom their data is shared.