While you are working diligently to help ensure your own organization is compliant with GDPR, your organization is explicitly responsible for the readiness and conduct of the third parties processing, supplying or storing your EU citizen’s personal information.
There are three priorities for third-party management:
understanding the different roles defined in GDPR
key contract elements to consider for GDPR processors
assessing the applicable processors for compliance
Ensure your processors, such as email marketing services and hosted CRM services, have the necessary data protection procedures in place, particularly if outside of the EEA. Data transferred internationally must be based on decisions of adequacy and acceptance that the data protection laws in those countries are suitable.
Who is in Charge?
The roles and responsibilities have changed under GDPR from the EU Data Protection Act. GDPR defines three important parties:
- The controller: “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”
- The processor: “the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
- The Data Protection Officer (DPO): The GDPR requires the controller and the processor to designate a DPO to oversee GDPR compliance. For more information on the role of DPO See Step 12.
In other words, the controller is responsible for all actions taken by the processor concerning the proper or improper handling of personal information, and the processor is a third party that carries out directives defined by the controller. Controllers establish services and tell processors what they are authorized to do with their information and processors have to be compliant or answer to the controllers and the GDPR authority. The DPO must continuously monitor GDPR compliance.
If a processor steps outside the bounds of its obligations by a controller, then the processor is treated as a controller and is subject to all provisions for controllers. Also, processors are not permitted to subcontract their services without approval from the controller. Terms of agreements between controllers and processors should cover this.
Contracts are used as the communication vehicle between the controller and the processor. They are a critical step to make sure the obligations are clear between the controller and processor. Under GDPR, controllers need to understand that they are largely responsible for anything that processors do with the EU Personal Information that is sent to them. If processors stray from defined parameters, controllers will share in the liability.
While we aren’t lawyers, pragmatically it makes sense to us that agreements between controllers and processors should at minimum include the following:
Agreement that GDPR is in scope for some or all activities performed by the processor, and that the processor agrees to be GDPR compliant.
Agreement that processor will not outsource in scope services without written approval.
Agreement that processor will establish and maintain an effective, risk-based security management program and allow for verification of the security controls. Some controllers may extend to requiring external attestations, risk assessments, penetration tests and more—as warranted by the level of risk.
These provisions are in addition to the security standard clauses that an organization would impose on its service providers, including topics on incident notification, right to audit, risk management, cyber insurance and control effectiveness.
Assessing your Relevant Third Parties
Because of the extensive use of outsourcing and SAAS, IAAS and PAAS services, one of the most onerous tasks in GDPR preparation is the assessment of relevant third parties. Remember that controllers are responsible for the actions taken by their processors, so it’s important to identify all relevant processors, understand what data is stored and processed, how well each processor protects EUPI data, and their progress at becoming GDPR compliant.
This is a tall order, as many organizations have not identified all their third parties and don’t know where all their EUPI data resides, internally or with third parties. GDPR has a lot of organizations scrambling on these two items alone.
Organizations with more than a few dozen service providers in scope for GDPR have their hands full for the following reasons:
Organizations will need to figure out what questions to ask their processors, send questionnaires to them and follow up with them until they respond.
Organizations then need to carefully review the questionnaire results. In many cases, controllers are going request for processors to provide evidence that substantiates their answers, and then wait for those artefacts for further examination.