GDPR is now the law.
That’s a fact.
And this fact means that, technically, from now on every company processing the data of EU citizens or residents should do so in alignment with the new rules. Otherwise, they’re at risk of severe fines.
That said, a lot of businesses are far from ready for this brave new world.
Preparing for GDPR isn’t something you can do overnight
According to a report released this month by Capgemini:
85% of firms in Europe and the United States will not be ready to fully comply on time, while 25% will not be fully compliant by the end of this year.
So, if your preparations for the new law are still a work in progress, you might take consolation in the knowledge that you’re certainly not alone. However, this doesn’t mean the authorities will go easy on you when they audit your organization.
We know this all sounds really stressful – but our goal isn’t to make you panic. Remember that taking care of GDPR business will give you peace of mind. You’ll also be able to get back to all the other responsibilities that come with running a company.
GDPR preparations are a tough job. Here’s some of the things you have to do:
- set up a GDPR coordination team
- appoint a Data Protection Officer
- draft a new internal Privacy Policy & ensure local compliance
- create a new data breach procedure
- evaluate data processing procedures
- and many, many more.
Also, one of your most important tasks is to check whether every third party with access to your users’ data is compliant with GDPR.
Those numbers from Capgemini should tell you that you need to speak about compliance to your tech partners (suppliers, vendors, customers or anyone else you have some kind of business alliance with).
The State of GDPR Consent
Overview and scoring of how websites have adapted to data privacy regulations
What’s more, remember that as a data controller you are directly responsible for what happens with data collected from your users.
For more information on the tasks of data controllers, data processors, and the rights of data subjects, check out this helpful infographic:
GDPR Data Subject Rights – What You Need to Know.
In this blog post we want to give you some practical advice on how to assess your partners for GDPR compliance. For your convenience, we’ve divided the whole process into four actionable steps. Sounds good?
Great! So, here we go:
STEP #1: Map every third party that processes the personal data of your clients and visitors
This may seem easy at first, but don’t be fooled.
Research by ISACA shows that the top challenge in GDPR compliance is data discovery and mapping (59% of responses).
This is because today’s companies use an extensive amount of tools.
Data gathered by Siftery indicates that top companies today use an average of 37 different tools or software platforms to run their day-to-day operations.
The chances are high that many of them are processing personal data of your users. Especially that under GDPR the definition of personal data includes even online identifiers and IP addresses.
For more information about the characteristics of personal data, be sure to read this guide:
PII, Personal Data or Both?
Now you’ll have to check for GDPR compliance of each and one of them.
What makes the task even harder is the fact that these tools are scattered across the whole organization. Just finding them might be a big challenge. That’s why it’s important to ensure that every department of your organization is involved in the process.
This will make it much easier to create a list of every piece of software your company uses.
STEP #2: Verify compliance among your partners
As we’ve said before, never assume a business partner operates in compliance with GDPR, even if they’ve always been trustworthy before.
Recent events have demonstrated that many famous companies and organizations are falling short. See: Facebook and Google hit with $8.8 billion in lawsuits on day one of GDPR.
That’s why we decided to put together a helpful list. Here are three signs that your business partner could be up to the task:
1) They have assigned a DPO
As you surely know, it’s not mandatory to appoint a DPO. However, Chapter 37 of GDPR states that a data processor or data controller should appoint a DPO if:
[…] the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale.
This means that if a data processor’s day-to-day activity involves tracking the online behavior of users, they should definitely have a designated DPO in their structure.
2) They have additional security credentials
It’s a good sign when your partner complies with international security standards such as ISO 27001 and SOC 2. If they work according to these standards you know that they have a sufficient data security framework in place.
3) They can present a roadmap for GDPR compliance
Your DPO or members of a designated GDPR team should be able to speak with your partner’s DPO and get a clear idea of what steps they have taken to be compliant with the new law.
One of the most important things to look for is a framework for managing data subject requests. As a data controller, you have an obligation to ensure that data subjects can exercise their rights.
Under GDPR, you have 30 days to process every request from a data subject. It’s hard to predict how often users will exercise their rights. However, your software providers should develop some sort of standardized mechanism for accessing, revoking, and deleting user data within their systems. Otherwise, you may not be able to keep up with queries. This would expose you to fines for not performing your duties.
The most common myths about GDPR
On the other hand, there are also several red flags that should make you rethink your relationship with your business partner:
1) They say GDPR doesn’t affect their business
There are many ways companies try to avoid the responsibilities imposed by GDPR. Here are some of the most common false statements you can hear when assessing your business partner for GDPR compliance:
We don’t process or store personal data
That’s most probably not true. Article 4.1 of the General Data Protection Regulation gives this definition of personal data:
[…] Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The Regulation significantly expands the definition of personal data from that in Directive 95/46/EC. For instance, GDPR treats online identifiers and location data as personal data. This demands that they be protected in the same way as other identifiers, like information on the genetic, economic, or psychological identity of a data subject. What’s more, it includes cookies among online identifiers.
GDPR says that all cookies (including pseudonymous ones) can be considered personal data if there is any potential to use them to single out or identify an individual. This is detailed in Recital 30 of the new law:
Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
We’re not EU-based, so we don’t have to obey this law
That’s also not true. Keep in mind that GDPR impacts every business dealing with clients from the EU, not only companies based in the European Union. If a company does any form of trade with customers within the EU, then GDPR rules will apply to them if they store, process, or share EU citizens’ or residents’ personal data. This is true regardless of where the business is located.
What’s more, GDPR introduces additional requirements for crossborder data processing. They’re listed in Chapter 5 of the Regulation.
2) They claim they are GDPR-certified
You have to be aware that there’s no such thing as GDPR certification. At least for now.
There’s no way to get a GDPR compliance certification yet for the simple reason that there is currently no authorized institution or body that offers it. That’s why, despite the fact that many companies offer some kind of GDPR training, there are virtually no standards for this kind of certification and what should be included in the program.
This is why you definitely shouldn’t treat this kind of certification as proof of compliance with the new law.
The questions that you ask your partner will also depend largely on the type of business they run. Here you can also find some tips to help you determine whether your web analytics vendor will help you in fulfilling your duties:
How to be Sure Your Web Analytics Complies With the New Law.
STEP #3: Sign Data Processing Agreements with each one of them
Signing a contract (Data Processing Agreement) with your data processors is another requirement of GDPR, provided for in Article 28.
So, if your business partner has presented some reasonable proof that they’ll provide a level of privacy appropriate for your users’ data, it’s now time to sign a Data Processing Agreement with them.
This contract should specify the data they have access to, the scope of use of that data, and any existing compliance plan that might be in effect. Under GDPR, the demands of such a contract are broader, going beyond just ensuring the security of personal data. They aim to ensure and demonstrate compliance with all the requirements of the new Regulation.
If you’re not familiar with Data Processing Agreements, this extremely helpful guide created by The Information Commissioner’s Office (ICO; stylised as ico.) may come in handy.
Below is an excerpt from this document, where experts from ICO list all the important matters that should be covered by a DPA:
Contracts must set out:
- the subject matter and duration of the processing;
- the nature and purpose of the processing;
- the type of personal data and categories of data subject; and
- the obligations and rights of the controller.
Contracts must also include as a minimum the following terms, requiring the processor to:
- only act on the written instructions of the controller;
- ensure that people processing the data are subject to a duty of confidence;
- take appropriate measures to ensure the security of processing;
- only engage sub-processors with the prior consent of the controller and under a written contract;
- assist the controller in providing subject access and allowing data subjects to exercise their rights under the GDPR;
- assist the controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data
- breaches and data protection impact assessments;
- delete or return all personal data to the controller as requested at the end of the contract; and
- submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.
It’s also extremely important to make sure that nobody processing your data shares it with another third party or uses it in any other way than described in the DPA. For example, they shouldn’t use it to better their services or improve their products (like in the case of Google)!
The State of GDPR Consent
Overview and scoring of how websites have adapted to data privacy regulations
STEP #4: Keep an ear to the ground and see what the future brings
Compliance with the law is not something that is given once and for all. It’s more like a continual process of reviewing your business and your business partners in light of new requirements, and paying close attention to whatever the future brings.
This is especially the case with GDPR – a very high-level framework still waiting for more practical, granular explanations. For instance, the Regulation on Privacy and Electronic Communications, also known as the ePrivacy Regulation, will provide much more detailed requirements for electronic data processing. However, ePrivacy is due to come into force in 2019, and the final text still hasn’t been published (a recent draft is available here).
In addition, each Member State of the European Union may issue their own guidance regarding GDPR compliance, or start offering GDPR certification. Both you and your business partners have to be ready to adjust your policies and practices to such changes.
Some conclusions
We hope that all the information presented above has given you some insights into reviewing the compliance of every party with access to your clients’ personal data. But if you have some more questions or just want to learn more about our GDPR-compliant products, don’t hesitate to get in contact! Our experts will be happy to help!