GDPR Compliance: Do You Trust Your Partners to Manage Your Data?
Mar 28, 2018
By: Alexandra Barcelona
By now you’re either GDPR compliant, or on your way towards GDPR compliance in time for the May 25, 2018 deadline. In either case, you trust that your organization will have done the work and heavy lifting required to ensure your business and data handling are in alignment with the new regulations.
But do you have the same level of confidence in the companies you work with?
Sharing data with non-GDPR compliant brands can land you in a heap of legal trouble, leaving your brand’s reputation in tatters.
Below we examine some of the most common fears surrounding third-party GDPR compliance, why third-party responsibility is important, and how you can better validate the security measures of any partners you’re sharing data with.
Fears Over Third Party GDPR Compliance
GDPR compliance extends beyond your own company and into all of your third-party business relationships. Failure to take these relationships into account can compromise all of the work you’ve done to make sure your internal processes are compliant.
For example, you could be utilizing a third-party service to provide cheap customer support for your business. They provide a good service and fit within your budget, but what do you really know about the company? Will continuing to work with them put your customer’s data at risk? Have they gone through the process of updating their data processing, security and privacy standards?
Under GDPR, some organizations will assume the role of both data controller and processor. These roles will be different based on how your company handles and processes data. Your business can be the controller of some information and the processor for others. Depending on how much data storage and processing you do in-house, you might have several different companies who process data on your behalf.
Problems with GDPR compliance arise when your company hasn’t done the necessary due diligence of the companies you’re associated with — because if one of your partners or vendors are negligent when it comes to GDPR standards, and your customer data ends up suffering, it will be your responsibility as much as theirs.
Am I Responsible for Third-parties?
Technically, you’re not responsible for a third-party vendor’s business practices and compliance protocols. However, if they aren’t compliant, then you can’t share data with them.
Just because you’re delegating data processing and data handling duties to a third party, that doesn't mean that you have delegated the responsibility for that data. You can be held jointly responsible for a data breach of a third party vendor, company, or individual, according to Article 28 of the GDPR.
This means that you need to ensure you have full reassurance and trust in every company who handles sensitive data on your behalf.
Managing all of your third-party business relationships can seem like a lot of work, but the process below will help you wade through the process.
How To Safeguard Your Brand From Non-compliant Third-parties
With the biggest GDPR risk being data breaches by third-party vendors, you’ll want to be extra careful in your selection of companies who you partner with. Below you’ll find a few things to keep in mind as you create a strategy of partner compliance.
1. Don’t Assume Compliance
GDPR may be coming into effect very soon, but that doesn’t mean everybody will be ready. In fact, Gartner forecasts that over 50 percent of brands who fall under the jurisdiction of the GDPR will not be compliant by the end of 2018. By operating on the assumption that all your partners have updated their systems and protocols in line with GDPR is a big risk. Ignorance of your partners business practices is no excuse.
2. Get It In Writing
One way to protect yourself against a third-party data breach is to have your partners provide contractual assurance. Indeed, signing a contract with any data processor is another requirement of GDPR, in line with Article 28.
This contract should specify the data they have access to, the scope of how that data is used, and any existing compliance plan that might be in effect.
The first step is clearly defining your own scope of data collection and usage, and the roles that third-parties will play in your data management process. Once you’ve clearly defined how you will be utilizing different partners you can then create contracts that state they will work to achieve GDPR compliance by the deadline of May 25th, 2018.
3. Do Due Diligence
Due diligence is your responsibility. You should develop and continually refine a regular auditing process to ensure that any third-party companies you’re working with are actually compliant.
This will involve a thorough examination process that covers some of the questions below:
- Are they GDPR compliant? Can they prove their compliance?
- Are there any alternative partners who have proven their compliance?
- Can their data handling processes be improved? Is there any way your company can help?
- Are they regularly monitoring cybersecurity threats to data?
- How (and how quickly) will you be notified if a data breach occurs?
GDPR Is About Customer Data, Not Your Company
Ensuring that your organization is GDPR compliant is only half the battle.. As the controller of your customer’s data, you’re responsible for any other party or company, who is helping you process that data.
That’s because the GDPR wasn’t drafted to hamstring companies, it was designed to safeguard customer data, and the power customers have over their data. When you start seeing GDPR as a data protection policy built for the individual rather than just a regulation that applies to companies, you’ll see the potential risk far more clearly.
Ensuring third-party compliance will be an ongoing process, but one that’s wholly necessary as a third-party error will count as your error if the data involved originated from your company.