Organisations share personal data with third parties all the time, but can they be trusted?
The GDPR (General Data Protection Regulation) has extended the scope of responsibility when it comes to data protection and privacy, meaning you need to be a lot more careful about the implications of security incidents caused by service providers.
How third-party relationships work under the GDPR
Before we begin, let’s be clear about how the GDPR works: any organisation that processes EU residents’ personal data is subject to the Regulation and must meet its requirements.
When you outsource data processing activities to another organisation, you are a data controller and the third party is a data processor.
A data controller decides what information is processed and the lawful basis for doing so, whereas a data processor completes the processing on behalf of the controller.
Under the GDPR, data controllers are responsible for their own compliance as well as that of processors.
As such, it’s essential that you research the security practices of any potential third party and agree in writing to the measures it will take to secure its systems.
The contract must also state that third parties:
- Will act only on your documented instructions;
- Won’t contract a sub-processor without your prior approval; and
- Will delete or return all personal data to you at the of the contract.
Are you liable for third-party data breaches?
Liability depends on the specifics of the contract you signed with the third party. If you don’t have a contract, then you haven’t fulfilled your responsibilities under the GDPR and can be punished regardless of how the breach occurred.
If you have a contract but the supplier failed to meet its obligations, it may be liable to pay damages or other fines. This is also the case if the supplier sub-contracted some, or all, of the processing activities.
Nonetheless, although the supplier will be responsible for paying fines, the data controller is tasked with meeting the GDPR’s notification requirements.
Tips for dealing with third parties
Data controllers must be accountable for the way third parties process personal data. In the event of a security incident, it’s not good enough to deny any wrongdoing and lay the blame entire on the supplier.
You must therefore be confident that the third party takes data protection seriously and will implement appropriate measures to meet the Regulation’s requirements.
When reviewing your relationship with third parties, organisations must:
- Not assume that third-party vendors take security and compliance seriously, let alone are GDPR compliant.
- Clearly define all areas and activities in which the GDPR is in scope, and have third-party vendors agree and provide signed contractual assurances that their processes meet the Regulation’s requirements.
- Confirm with third-party vendors that they will not outsource any GDPR-relevant scoped services without written approval.
- Regularly audit third-party vendors’ processes.
Simplifying your GDPR compliance practices
The GDPR has been in effect for a while now, but many organisations are still struggling to meet its requirements.
You must address your compliance requirements and ensure that you are maintaining a high standard. That’s easier if you use GDPR Manager, a tool that helps you document and manage key compliance processes in one location.
You can use it to:
- Keep track of third parties handling your data;
- Respond to DSARs (data subject access requests);
- Assess and manage your compliance gaps; and
- Record and report on data breaches.
A version of this blog was originally published on 18 December 2017.