Beyond Certification
May 25, 2022
The title of this blog may seem odd coming from a person who has spent the last 22 years promoting service provider certification. Please bear with me.
As readers already know, the premise of Data Processor certifications has changed. Where once they simply provided a general reassurance that a reputable third party had signed off on the vendor’s practices, now, if properly constructed and managed, those certifications fulfill a client’s regulatory due diligence requirements. Certification has gone from providing a warm and fuzzy intangible, to a very real, tangible benefit.
Another way to look at it is that clients have two options to meet their vendor selection due diligence requirements. 1.) They can review their prospective Data Processors themselves – both initially and ongoing after hiring – against the relevant regulatory and security requirements, or 2.) They can rely on a reputable, bonafide certification program to do it for them.
So, what is this about looking beyond certification?
The fact is, there are two things a certification cannot do… and should not do… which are equally important to a client compliance and/or risk, namely, the quality of their data processor contracts and insurance.
All data protection regulations necessitate a contract between the Data Controller (the client) and the Data Processor (service provider)
I specifically use the word “necessitates” because some U.S. regulations are silent on such contractual engagements, but, in all practicality, the absence of such a contract would almost certainly be deemed negligent. In court the question would be, “Do you mean to justify to the court that you were entrusting this vendor with personal information your firm was required to protect and you had no contract with to hold them accountable?”
Again, for the most part, regulations, even in U.S. do require a Data Controller-Data Processor contract. Furthermore, with data protection regulations now applying to citizens versus territories, the only prudent course is to default to the most rigorous.
Contracts are by nature not something a certification can have much overlap, besides, that is, the obvious overlap of a contract requiring a vendor maintain a certified status. Beyond that, however, a certification cannot (and should not) be expected to stipulate all the various particular issues and clauses that a Data Controller-Data Processor contract would. There are simply too many variables and subtleties.
The same can be said about insurance, and, more specifically, Professional Liability Insurance (PLI). PLI would be the insurance a service provider would rely on to cover the expense on any accident or negligence in the performance of their professional duties. From the Data Controller’s perspective, the availability and quality of PLI are critical, since the insurance is what allows the Data Processor to be held financially responsible.
As a side note, I cannot tell you how many times I have seen Data Controllers passing on financial liability to a Data Processor with no reciprocal requirement for that Data Processor to have PLI. Of course, this stipulation would be useless unless it was accompanied by the Data Controller’s evaluation of the PLI, since there is the strong possibility that the policy has problematic exclusions.
Back to the topic at hand, though, this is exactly the reason a certification cannot simply mandate Data Processor maintain PLI, since the certification cannot evaluate the insurance anymore than it can mandate necessarily specialized, custom contracts.
So what?
Well, for the client requiring certification it means there is more to do, and that there is no shortcut. Contracts and the professional liability of the service provider are always going to be something requiring they get into the weeds.
For the service provider, it means opportunity. Being able to help clients understand and navigate their contract and insurance requirements and risks will both set them apart from their competition as a true professional and earn them the margins they deserve as such a professional. Looking at it from another angle, it is only a matter of time before clients become aware of these issues. It will certainly reflect more positively if the service provider that has already made it known that they are aware of these issues, or at least is able to respond intelligently, versus simply looking back at the client, shrugging and clueless.
End note for clarity: Contracts fall under both compliance and risk management. Insurance, on the other hand, is not a compliance issue but definitely falls very high on the risk management continuum.