In 2018, the business world almost melt with the terrifying news of the enforcement of the General Data Protection Regulation (GDPR). Now, it’s a widely implemented and respected data privacy regulation for organizations within and outside of the European Union. With everything we’ve come to know, it’s worth analyzing the impact of GDPR on the use of trusted service providers in support of business operations. Here’s everything you need to know about GDPR and third party vendors.
Key Terms and Definitions of GDPR
Before we can discuss GDPR and third party vendors, it’s critical we understand the definitions of the Controller, Processor, and Personal Data (as found in Chapter 1 and Article 4) and the territorial scope (as found in Chapter 1 and Article 3) outlined by GDPR:
- “Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
- “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
As for the “Territorial Scope”:
- GDPR applies to the processing of personal data in the context of the activities of an establishment of a Controller or a Processor in the European Union, regardless of whether the processing takes place in the Union or not.
- GDPR applies to the processing of personal data of data subjects who are in the Union by a Controller or Processor not established in the Union, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the Data Subject is required, to such data subjects in the Union; or
- the monitoring of their behavior as far as their behavior takes place within the Union.
- GDPR applies to the processing of personal data by a Controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
What to do if you are subject to GDPR
Effectively, GDPR might apply to your company if data belonging to an EU resident is accessed or processed (by your company or your company’s trusted third parties) while the individual is a resident of the EU. This isn’t the end of the known world but can create complications in managing your company’s data if the data warehouses are not already highly organized and segmented.
The first major obstacle is identifying whether, or not, GDPR will apply to your organization. If you’ve made it this far in to this article then let’s assume you’ve validated GDPR’s applicability to your company. If your company uses a trusted third party vendor to process or store your company’s data then your third parties could be considered as “Processors” according to GDPR’s definitions (above), thus, also making your third parties susceptible to GDPR’s oversight.
Next, the specific data elements protected by GDPR need to be identified and their location(s) properly documented. Proper data mapping helps to identify which data elements need to be isolated from others in instances where various aspects of GDPR (such as a Data Subject’s rights to be forgotten or rights to object to processing) are necessary, to ensure timely compliance to these requirements is enforced. Once appropriate data elements are identified (and properly mapped) the actual maintenance and management of the database becomes significantly less complex and easier to work with.
Other impacts to the compliance of GDPR requirements still apply, such as the appointment of an appropriate Data Protection Officer (DPO) who will be required to report to the appropriate Supervisory Authority designated by each Member State of the EU. Another important piece of information to be aware of is the ability for a company to leverage a trusted third party as the appointed DPO.
When all things are in order, one of the most important pieces of this vast puzzle remains the organization, identification, and ease-of-management of databases where GDPR requirements are applicable. There’s multiple technical tools available to assist in these efforts, if your company maintains their own on-site and internally hosted database. There are also multiple tools available to help companies without these capabilities offering various type of cloud-hosted solutions (SaaS) to properly organize, manage, and report GDPR compliance.
GDPR and the Integration of Third Party Vendors: Talking about Compliance
If your company is subject to the oversight required by GDPR, it may be a good idea to let your trusted third parties know if they’re also potentially going to become subject to these requirements. This will help ensure their own compliance is in order and that they are accepting any additional responsibilities.
For new third party vendors onboarded in your organization, you could simply add GDPR-related requirements to your risk assessment and monitoring workflow.
Learn More: How to Customize Requirements in Your Vendor Risk Assessments
In consideration of protecting your existing relationships, notice to your current third parties may be necessary if you change your requirements associated with providing goods and/or services to your company. Please seek your company’s appropriate legal guidance and counsel for formal advice and direction.
3 Reasons Why You Should Consider GDPR Compliance
Even if GDPR compliance may not be a priority for smaller data collectors or companies based outside of the EU, it’s still worthwhile to consider for the following reasons:
- GDPR compliance is not as costly as it seems. The cost of complying will depend on how you’re impacted by the regulation. For some organizations it could just be a matter of adding a few new disclosures to their website, and for others, there will be a need to hire a DPO, or to implement new processes and technologies.
- GDPR compliance has a positive impact on customers that trust you with their data. Large, multi-national corporations may have the most at stake, but working towards GDPR compliance will make data safer in any case. Showing you take security seriously always results in more business and cutting losses related to a cybersecurity incident.
- GDPR compliance puts you ahead of the pack. Regulations promote a sense of responsibility and create a safer environment that is often replicated. If a similar standard were to be passed in your country or state, you would be one step ahead if you already have the experience of complying with GDPR.
Not sure where to start with TPRM?
Deciding if you need a third-party risk management tool and choosing the right one can be challenging. This buyer’s guide will put you on a path to auditable risk management and accelerate your journey to TPRM maturity.
You will learn how to boost efficiency, transparency, and control over your risk management indicators.
