While the entire world is seemingly melting with the terrifying onslaught of the enforcement of the General Data Protection Regulation (GDPR…coming to a theater near you on May 25th, 2018) there remains a significant amount of mis-information, confusion, and utter chaos within some of the world’s largest corporations (HQ’d outside of the EU) and on social media regarding the continued use of trusted third parties in support of business operations…especially, those companies not too experienced with heavily regulated environments such as banking, insurance, and other financial services.
Key Terms and Definitions of GDPR
Before we can discuss what GDPR says about the use of third parties, it’s critical we understand the definition of the Controller, Processor, and Personal Data (as found in Chapter 1 and Article 4) and the territorial scope (as found in Chapter 1 and Article 3) outlined by GDPR:
- “Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
- “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
a. GDPR applies to the processing of personal data in the context of the activities of an establishment of a Controller or a Processor in the (European) Union, regardless of whether the processing takes place in the Union or not.
b. GDPR applies to the processing of personal data of data subjects who are in the Union by a Controller or Processor not established in the Union, where the processing activities are related to:
i. the offering of goods or services, irrespective of whether a payment of the Data Subject is required, to such data subjects in the Union; or
ii. the monitoring of their behavior as far as their behavior takes place within the Union.
c. GDPR applies to the processing of personal data by a Controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
What To Do if You Are Subject to GDPR
Effectively, GDPR might apply to your company if data belonging to an EU resident is accessed or processed (by your company or your company’s trusted third parties) while the individual is a resident of the EU. This isn’t the end of the known world but can create complications in managing your company’s data if the data warehouses are not already highly organized and segmented.
The first major obstacle is identifying whether, or not, GDPR will apply to your organization. If you’ve made it this far in to this article then let’s assume you’ve validated GDPR’s applicability to your company. If your company uses a trusted third party to process or store your company’s data then your third parties could be considered as “Processors” according to GDPR’s definitions (above), thus, also making your third parties now susceptible to GDPR’s oversight.
Next, the identification of the specific data elements protected by GDPR need to be identified and location(s) properly documented. Proper data mapping helps to identify which data elements need to be isolated from others in instances where various aspects of GPDR (such as a Data Subject’s rights to be forgotten or rights to object to processing) are necessary to ensure timely compliance to these requirements is enforced. Once appropriate data elements are identified (and properly mapped) the actual maintenance and management of the database becomes significantly less complex and easier to work with.
Other impacts to the compliance of GDPR requirements still apply (such as the appointment of an appropriate Data Protection Officer (DPO) who will be required to report to the appropriate Supervisory Authority designated by each Member State of the EU. Another important piece of information to be aware of is the ability for a company to leverage a trusted third party as the appointed DPO.
When all things are in order, one of the most important pieces of this vast puzzle remains the organization, identification, and ease-of-management of databases where GDPR requirements are applicable. There’s multiple technical tools available to assist in these efforts (if your company maintains their own on-site and internally hosted database. There’s also multiple tools available to help companies without these capabilities offering various type of SaaS (cloud) hosted solutions to properly organize, manage, and properly report compliance to the GDPR requirements.
Talking to your Third Parties about Compliance
If your company is to be subject to the oversight required by GDPR, it may be a good idea to let your trusted third parties know (if they’re also potentially going to become subject to these requirements) to help ensure their own compliance is in order and that these third parties are accepting of these additional responsibilities. Please also be aware of the potential situations that some of your existing third parties may also become subject to the GDPR requirements on/after May 25th, 2018. In consideration of protecting your existing relationships, notice to your existing third parties (who may now become subject to GDPR due to their relationship with your organization) may be appropriate to ensure the third party is willing to accept these new requirements associated with providing goods and/or services to your company. Please seek your company’s appropriate legal guidance and counsel for formal advice and direction.
Please feel free to comment on this article, provide insight, feedback, and/or share the information found here. Multiple resources are available to assist in these efforts and only a small portion of such are listed or linked herein.