The EU GDPR (General Data Protection Regulation) came into effect three months ago, and a lot of organisations are starting to feel happy about their compliance posture. They are less happy, however, with the practices of their suppliers and service providers.
Under the GDPR, organisations must ensure that personal information that they’ve obtained remains secure – even when it is shared with third parties. Should a third party suffer a data breach, the organisation that provided the personal data will be held accountable. (The third party might also be held accountable, depending on the nature of the breach.)
The most serious violations of the GDPR will attract penalties of up to €20 million (about £18 million) or 4% of their annual global turnover, whichever is greater. Although fines of this magnitude will be reserved for egregious breaches, even comparatively lenient penalties could be hugely damaging.
The GDPR’s rules mean that sharing data with third parties is essentially no different than any other kind of data transfer. The problem is that, although organisations can instruct third parties on how to manage information security, they have no jurisdiction to enforce these requirements. Other than warning third parties about their shortcomings, organisations’ only recourse is to stop doing business with them.
One solution to the problem is for the third party to certify to the international standard for information security, ISO 27001. This is a good idea regardless of the GDPR implications, but it’s particularly helpful for any organisation that wants to demonstrate the effectiveness of its security practices.
The Standard is closely aligned with the Regulation’s requirements, so it should be relatively straightforward for GDPR-compliant organisations to achieve certification.
Draw up a contract
Once an organisation is happy with the third party’s security controls, they should draw up a contract agreeing to certain practices. For example, the organisation will probably want assurances that the third party will share information regarding a breach within the GDPR’s 72-hour notification deadline.
Another clause might set clear limits on what the third party can do with the data, preventing any misunderstandings related to lawful grounds of data collection.
Learn more about the GDPR
You can get more tips on how to can successfully navigate the GDPR by reading EU General Data Protection Regulation – A Compliance Guide.
This free green paper is the perfect introduction or refresher for anyone who handles EU residents’ personal data or who is responsible for compliance. It provides an overview of the Regulation, including the information it applies to and which organisations must comply. It also covers the key areas of change compared to previous data protection laws and what organisations need to be aware of when implementing and maintaining their compliance project.