May 23, 2018
The long-awaited General Data Protection Regulations (GDPR) are set to come fully into force on May 25th, 2018. After more than two years of discussion and preparation around the new data storage and processing laws, the date is almost here; leaving many wondering if they’re completely ready for the change.
The GDPR will be used to strengthen an individual’s rights to their own personal data; meaning businesses must obtain explicit consent from a person in order to store, use and process their information in any way. It also allows the individual to request access to their data, have their data rectified, or have their data completely erased at any time.
Organisations that fail to comply with the new rules could face fines of up to €20 million or 4% of their global annual turnover.
Whilst the threat of these penalty fees has caused affected companies across the UK to update their data policies, there is one pitfall many will have failed to address. If you outsource any of your data processing to a third-party, you will be responsible for ensuring these processors comply fully with GDPR – or it could be you who faces the fines.
Who are third-party data processors?
GDPR specifies two different roles when it comes to dealing with data; controllers and processors.
The data controller is responsible for determining why and how personal data should be processed, where the data processor is the one who actually carries out the data processing on behalf of the controller.
In many companies, these may be one and the same; with the one business collecting data, maintaining data records, and processing the data for their own use.
However, other businesses may choose to outsource their data processing duties to a specialist firm like Adetiq. If you do, it is up to your company as the data controller to ensure all third-party data processors are GDPR compliant.
Article 28 of the GDPR says: “Data controllers shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject”.
Essentially, what the legislation states is that your organisation will be held accountable for any data breaches caused third-party service providers. And with third-parties being reportedly implicated in more than 63% of data breaches, this should be a serious concern for your business.
What should you do if you use third-party data processors?
In addition to getting your own firm GDPR ready, you’ll need to ensure your outsourced data processing partners are just as well prepared.
It is very possible your third-party service providers did not realise that GDPR would apply to them or they have begun preparations but to a standard lower than your company’s. Remember; if a data breach occurs because of a mistake by your data processors, your company will suffer the consequences. That’s why it is so important that you are proactive and effective when it comes to ensuring their GDPR compliance.
“It boils down to vendor management,” says Kory Willis, senior director of IT at SaaS channel management solution, Impartner. “The controller is just as liable as the processor. It’s incumbent on to the controller to ensure that the people who are processing their data are consistent with GDPR.”
So, what can you do as a data controller?
Make sure you identify all third-party processors you use, then try to gauge their level of awareness and preparedness when it comes to GDPR. Try to assess whether they have appropriate measures in place by asking questions such as:
• Where do you store the data you receive from us?
• Do you have your own data protection officer (not everyone will)?
• Do you inform us when you transfer data? How?
• Who can access the data?
• What controls do you have in place to reduce the risk of a breach?
• If one of our customers were to ask to see all of the data you hold on them, would you be able to produce this?
• Do you have security breach notifications in place?
Clearly define all areas and activities you carry out in which GDPR would apply, then have your third-party service providers sign a contractual agreement that they will have everything compliant by May 25th.
Do your due diligence and regularly audit these outsourced partners regularly to ensure the highest levels of compliance are maintained at all times.
Get in touch and speak to our experts to find out how we can help; we’ll go through your specific requirements and suggest the most effective methods to bring you the best results in the most cost- and time-efficient manner.