GDPR & Third Party Data Processors
Whilst it’s important that you’re on top of your data compliance, it’s also essential that you check that any third party data processors you use are also compliant. Ultimately, as a controller, you are responsible for ensuring that personal data is processed in accordance with GDPR. This means that you need to establish that your data processors are fully compliant or you could be liable for corrective measures and sanctions, including fines.
Who Are Third Party Data Processors?
A third party data processor is defined under GDPR as, “a natural or legal person or organisation which processes personal data on behalf of a controller.” This essentially means any third party who processes personal data on your behalf. This could include cloud services, mailing houses, hosting companies and any other organisation whereby you share personal data as part of your business operations or as part of any projects you may be running.
What Should I Do If I Use Third Party Data Processors?
Data controllers are responsible for actions taken by data processors. Therefore, you must identify all processors you use, have a clear understanding of the data you store and process with them, and understand how well each processor secures that data.
By completing an assessment of all third party processors you use, you’ll be able to gauge their awareness of GDPR. You should also be able to assess whether they have appropriate measures in place to comply with the regulations.
What Should I Ask Third Party Data Processors?
Good questions to ask include:
- Where is the data stored?
- Do you have a data protection officer?
- Do you inform me when you transfer data?
- What controls do you have in place to reduce risk? /What are your risk management processes?
- Who can access the data?
- Do you have security breach notifications in place?
- Do you adhere to Binding Corporate Rules (BCRs)?
- What measures are in place for you to be compliant with GDPR by May 2018?
A useful exercise is to map your data pathways. To understand how data is captured, what data is captured and what data is transferred between you and your data processor. This will give you a clearer understanding of your data management and where you may need to make improvements to your procedures to ensure compliance.
Review Your Data Processor Contracts
The GDPR also makes written contracts between controllers and processors a requirement. This means that you will need to ensure contracts are in place when:
- You directly employ a data processor
- When a processor employs another processor
Therefore, before the 25th May 2018, you need to check your existing contracts. If they don’t meet the requirements, you will need to draft and sign new contracts.
Both your organisation and your third party data processors need to have policies in place to support GDPR. Having a clear picture about how data is transferred will improve your knowledge about the data you control. You should also ensure that the data you collect is the minimum required for the necessary service/product.
Although it can seem like a challenging mountain to climb, in reality, GDPR offers businesses the opportunity to improve their data practices and their customer relationships. It helps you gain a deeper understanding of your data management, improve your knowledge about your customers and how they interact with you, strengthen databases, and open up new lines of communication.