February 18, 2019
The General Data Protection Regulations (GDPR) came fully into force in 2018. After years of discussion and preparation around the new data storage and processing laws, left many wondering if they’re fully compliant with the GDPR.
The GDPR is used to strengthen an individual’s rights to their own personal data; meaning businesses must obtain explicit consent from a person in order to store, use and process their information in any way. It also allows the individual to request access to their data, have their data rectified, or have their data completely erased at any time.
Organisations that fail to comply with the GDPR rules could face fines of up to €20 million or 4% of their global annual turnover.
Whilst the threat of these penalty fees caused affected companies across the UK to update their data policies, there is one pitfall many have failed to address. If you outsource any of your data processing to a third-party, you will be responsible for ensuring these processors comply fully with GDPR – or it could be you who faces the fines.
Who are third-party data processors?
GDPR specifies two different roles when it comes to dealing with data; controllers and processors.
The data controller is responsible for determining why and how personal data should be processed, where the data processor is the one who actually carries out the data processing on behalf of the controller.
In many companies, these may be one and the same; with the one business collecting data, maintaining data records, and processing the data for their own use.
However, other businesses may choose to outsource their data processing duties to a specialist firm like Adetiq. If you do, it is up to your company as the data controller to ensure all third-party data processors are GDPR compliant.
Article 28 of the GDPR says: “Data controllers shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject”.
Essentially, what the legislation states is that your organisation will be held accountable for any data breaches caused third-party service providers. And with third-parties being reportedly implicated in more than 63% of data breaches, this should be a serious concern for your business.
What should you do if you use third-party data processors?
In addition to ensuring your own business is GDPR complaint, you’ll need to ensure your outsourced data processing partners are just as well compliant.
It is possible your third-party service providers do not realise that GDPR would apply to them or they have done some preparations but to a standard lower than your company’s. Remember; if a data breach occurs because of a mistake by your data processors, your company will suffer the consequences. That’s why it is so important that you are proactive and effective when it comes to ensuring their GDPR compliance.
“It boils down to vendor management,” says Kory Willis, senior director of IT at SaaS channel management solution, Impartner. “The controller is just as liable as the processor. It’s incumbent on to the controller to ensure that the people who are processing their data are consistent with GDPR.”
So, what can you do as a data controller?
Make sure you identify all third-party processors you use, then try to assess whether they have appropriate measures in place by asking questions such as:
• Where do you store the data you receive from us?
• Do you have your own data protection officer (not everyone will)?
• Do you inform us when you transfer data? How?
• Who can access the data?
• What controls do you have in place to reduce the risk of a breach?
• If one of our customers were to ask to see all of the data you hold on them, would you be able to produce this?
• Do you have security breach notifications in place?
Do your due diligence and regularly audit these outsourced partners regularly to ensure the highest levels of compliance are maintained at all times.