Reducing Privacy Risks Through Contracts: Pre-Contractual Stage

The Buyer's Perspective

Article Content

    All Posts
    June 29, 2021

    This series will cover some of the necessary steps in a contract negotiation involving personal information. In this article, we will talk about the due diligence required before entering into a contractual arrangement.

    Initial Thoughts

    A recurrent concern when negotiating contracts is how to establish whether a service provider will cause you to be non-compliant. The way to determine that is by conducting due diligence.

    It is inconvenient for a service provider to be seen as non-compliant. Even though it is possible that they won’t accept all changes you request, they may work with you to ensure that, at the very least, your minimum compliance needs are covered.

    A practical recommendation is having several providers to choose from and comparing what they are willing to provide. In any case, you need to be aware that when you delegate data functions to a service provider, you remain liable for that data; therefore, you want to ensure that your provider has all necessary measures in place to protect it.

    ##Pre-Contractual Considerations This series aims to provide you a high-level understanding of what to look for when reviewing technology agreements. Keep in mind that these are highly specialized agreements, and the best option is always consulting with a professional. If you don’t have that option, try to follow the steps below:

    1. Make sure you understand what legislation and, specifically, what requirements apply to the data you collect. This may be complex because, depending on the industry, the province, and other factors, several pieces of legislation, regulations, and guidelines will need to be considered.
    2. Before engaging in negotiations with a service provider, read their privacy and security policies if available online.
    3. Before disclosing any information to the provider, have them sign a non-disclosure agreement (NDA):
      • Read the NDA’s definition of confidential information to corroborate that personal information and back-ups created by the service provider, if any, are included in the definition.
      • Verify that the NDA’s protection term covers your needs (e.g., during the term of the contract + 5 years).
    4. Define your privacy and security requirements. This will require an internal due diligence process and a good level of teamwork with the provider.
      • Consider what data you handle.
      • Ensure that the data is classified based on its sensitivity level. Privacy protections and security requirements should be applied by having that factor under consideration.
      • Determine what data points need to be transferred to the service provider and ensure that you won’t be sharing more information than required.
      • Discuss with the service provider the extent to which it would be possible to limit the identifiable information to be transferred or disclosed.
      • Confirm that the data transfer will take place in a secure manner and that both parties will be able to abide by adequate standards of data protection.
      • Determine if there are any data localization limitations and whether the service provider is able to comply with that requirement.
      • Confirm how the service provider will support you if you receive an access request regarding information held by the provider.
      • Analyze, according to your data retention policy, for how long are you allowed to keep the data after the purpose of collection has elapsed and how will the service provider support your data retention needs.
    5. Once you have identified your real needs and the applicable requirements, ask the service provider to fill out a vendor questionnaire. This questionnaire should be a staple in your contract management process.

    Your questionnaire should tackle the items listed below; however, depending on the service and the type of agreement, some items may not be relevant and others may be missing. Policies, standards, and controls in place.

    • Architecture
    • Configurations
    • Product Design
    • Compliance
    • Access Controls
    • Monitoring
    • Physical Security
    • Contingency Plan
    • Service Provider’s Associates

    We will discuss the benefits and drawbacks of standard questionnaires in a future post.

    1. The vendor questionnaire will allow you to conduct a risk assessment and determine the service provider’s risk profile. This assessment will be used to support your business decisions.