GDPR and Third Parties: What Companies need to know

The Global Data Protection Regulation (“GDPR”) goes a long way in ensuring protection and privacy of user data, but what about third parties, vendors, and other outside stakeholders? The GDPR clearly states that all businesses and their partners are responsible for protecting user data. Third parties are legally obligated to comply with all aspects of the regulation to ensure consistency and true protection for consumers. Primary businesses that use consumer data are tasks with enforcing all rules enumerated under the GDPR throughout their network. In practice, organizations should convey their policies and procedures to their third-party partners and monitor proper compliance to foster complete protection across all channels of commerce. Generally speaking, a company should never diminish the value of ethical practices to accommodate a business partner or vendor. The spirit of the GDPR is aligned with this basic premise, and organizations should now begin to monitor their partners’ GDPR compliance initiatives.

The GDPR defines the parties to data collection and processing as “controllers” and “processors”. Controllers are those entities that determine the purpose and means of collecting personal data. Processors are those entities that process personal data on behalf of the controller. Therefore, a controller defines the scope and extent of activities involved in data processing for meeting its objectives and deriving benefits thereon. Controllers are typically primary organizations and entities that have direct contact with consumers. In contrast, processors are agents of controllers. Processors typically include software providers and other servicers of information and records.

Does the GDPR affect all third-party contracts?

It depends. If such third-party contracts involve any processing of personal data, then the businesses need to ensure GDPR compliance. Businesses need to undertake a thorough review of their contracts and make suitable amendments to be GDPR compliant.

What is the scope of data processing?

The GDPR makes multiple references to processing, so how should a business infer if an activity amounts to data processing?  The GDPR defines processing as any operation(s) performed on set(s) of personal data by automated means or otherwise. Activities like collection, recording, organization, structuring, storage, adaptation/ alteration, retrieval, consultation, use, disclosure by transmission, dissemination/ otherwise making available, alignment/ combination, restriction, erasure and destruction are specifically included under processing.

Why should organizations be responsible for what a third party does?

Every third party undertakes activities having an express or implied agreement with an organization for commercial purposes. By virtue of agreement, businesses provide authority and legal permission to third parties to act on their behalf. With this in mind, third parties are simply extensions of controllers and primary organizations; therefore mandating compliance with the GDPR is an organic stride in maximizing the effectiveness of all rules under the regulation. The GDPR states that controllers are legally responsible for all acts performed by an applicable processor, therefore, any noncompliance by the processor shall result in a noncompliance by the controller. This form of shared responsibility is important, and a concept that entities should be aware of when constructing their compliance initiatives in relation to the GDPR.

What are third-party processors responsible for?

Businesses must implement appropriate technical and organizational measures to ensure GDPR-compliant data processing. The measures to be taken are very subjective and require an assessment of the nature, scope, context and purposes of data processing along with the associated risks and severity for user privacy. In addition to implementing appropriate data protection policies, adherence to approved codes of conduct or approved certification mechanisms may also be used to demonstrate GDPR compliance. Businesses are responsible to ensure that their third-party processors implement these measures with equal force. The GDPR specifically requires businesses to use only those processors providing sufficient guarantees for GDPR-compliant implementation of data protection and privacy.

What are the GDPR-compliant amendments required in third-party contracts?

The GDPR states that any data processing by a processor shall be governed by a binding contract setting out various terms and conditions. The following are the mandatory components of a GDPR-compliant data processing contract:

  • Nature of services provided: Define the subject matter, duration, nature and purpose of data processing;
  • Data Constituents: Define the type of personal data and categories of data subjects;
  • Demarcation of responsibilities: Define the rights and obligations of the controller and the processor;
  • Authority: Processor to act on the written instructions of controller;
  • Confidentiality: People involved in data processing to be subjected to confidentiality requirements;
  • Security of processing: Processor to implement appropriate organizational and technical measures for data security;
  • Records of processing activities: Both the controller and the processor must maintain appropriate records pertaining to data processing;
  • Sub-processors: Processors must engage sub-processors only with the prior written consent of controller;
  • Assistance in compliance: Processors must assist controller in facilitating exercise of user data access rights, rights of erasure, security of processing, notification of personal data breaches, data protection impact assessments, audits and inspections;
  • Data Protection Officer (DPO): Processor should appoint a DPO to ensure appropriate implementation and monitoring of GDPR initiatives;
  • Demonstrate compliance: Processor to provide requisite data to the controller to demonstrate compliance under the GDPR.

 How can businesses ensure compliance by third-party processors?

Ensuring compliance by business partners and third parties is a difficult task regardless of the regulation in question. Businesses should have a compliance checklist and perform due diligence initiatives on a routine basis to ensure that third parties are actively engaged with GDPR requirements. As the guiding principles and compliance reporting mechanisms evolve, businesses should closely follow these developments and continuously refine business practices and policies to remain current and efficient.  Businesses may undertake the following to ensure compliance by processors:

  • Vendor risk assessment and self-certifications;
  • Third party audits;
  • Periodical inspections and test-checking;
  • Surveys of compliance initiatives backed by documentation;
  • Adherence to approved codes of conduct; and
  • Adherence to approved certification mechanisms.  

Businesses should take this opportunity to devote time and attention to the GDPR in relation to third parties. This can be done by conducting risk assessments, designing implementation plans, and implementing operational frameworks.  Similarly, businesses should also insist and subject their third-party data processors to all aforementioned standards. If not, fines and penalties may flow from your third-party partners directly to your organization. With so many uncertainties, companies must embrace third-party risks and create compliance controls to combat potential threats.

If your organization is concerned about governance, risk mitigation, regulatory compliance, human resources management and ethics, we can help simplify things for you. Call us at 973-520-6131. You can also get in touch on our website at www.riddlecompliance.com. We’re passionate about supporting our clients with respect, transparency, and unparalleled expertise.