What does the GDPR mean to your third-party data processors?
Data controllers and processors will be equally responsible for compliance with the EU regulation.
It’s likely that if you handle data in any way, you are aware of the European Union’s General Data Protection Regulation (GDPR) and its wide-ranging implications for US companies that process any EU data. Perhaps you’ve already taken steps to bring your company into compliance in advance of its May 2018 deadline.
But just getting your own house in order isn’t enough. Under the new rules, any third-party processor you use is now directly and legally obligated to also be in compliance.
A third-party data processor is just what it sounds like: an entity that processes personally identifiable information (PII) on behalf of a controller. A controller is defined by the GDPR as an entity that determines how that data will be processed and for what reason. Email service providers (ESPs), customer relationship management systems (CRMs) and a whole slew of services with acronyms for names are third-party vendors that fall under this umbrella.
And they are big business. Recent research from the IAB Data Center of Excellence and the Data & Marketing Association (DMA) says that US firms will have spent more than $10 billion on third-party audience data in 2017 and even more than that on third-party solutions that process that data.
Get it together
Experts agree that it is incumbent on a data controller to assess and monitor vendors, as well as working with them to come up with solutions and strategies for remaining in compliance.
Kory Willis is senior director of IT at Impartner, a SaaS (software as a service) channel management solution. Willis says that it’s important to closely manage your vendors in order to stay in compliance.
“It boils down to vendor management,” Willis said. “The controller is just as liable as the processor. It’s incumbent on to the controller to ensure that the people who are processing their data are consistent with GDPR.”
Holly Rollo, CMO and SVP at RSA Security, says that GDPR will require companies to work together to find solutions that will not only make legacy data compliant but will properly handle data moving forward.
“What GDPR encourages people to know is, where is your data, who has access to it, and how it’s being protected,” Rollo says. “In martech in particular, there’s a lot of people involved. It’s not like a CRM system that’s hosted, or one application. It’s going to require that businesses really look across their vendor ecosystem, the applications and tools they’re using, and how they’re stitched together.”
Vendors will need to show compliance
A quick survey of the websites belonging to many well-known third-party vendors showed that most of them are either showing that they are compliant or are gearing up to be compliant. Many have updated their data processing agreements and added GDPR sections to their websites and knowledge bases. Some offer short primers on the legislation, checklists for customers and updates on how they intend to comply.
MailChimp, Constant Contact, Hubspot and Salesforce are among the providers who report that they have certified with Privacy Shield, showing their intention to follow GDPR’s rules on the transfer of data between countries.
What about the cloud?
Drew Nielsen, chief trust officer of cloud data protection and management service Druva, says that cloud services have specific challenges and may even have an advantage.
“Companies in the cloud do have some additional challenges when it comes to GDPR because they need to be aware of all the sub-processors of information that they are dealing with,” Nielsen said. “However, companies in the cloud who have GDPR requirements have an advantage as they tend to have a better handle around their data in many situations than those that aren’t in the cloud. I think the thing that keeps all companies up at night, whether in the cloud or not, is dealing with Article 17 and the ‘right to be forgotten’ above all else. Whether you’re in the cloud or on premise, no one is comfortable with deleting data.”
My survey of the websites for several popular cloud services showed that they are more vocal about their compliance preparation and in providing GDPR help to their customers than the other third-party sites I visited.
IBM has provided an extensive section of its website to GDPR with e-books and webcasts. It has also included GDPR in the compliance features of its IBM Cloud Secure Virtualization monitoring product. Microsoft has also introduced a GDPR product for its users. Compliance Manager helps companies assess their GDPR risks, as well as compliance with other popular regulations.
So, what can you do as a controller?
Talk to your third-party partners. Take a fresh look at old vendors and make sure to thoroughly vet new ones. Check to see what certifications they have and how vocal they’ve been about their intention to comply. Since compliance means being able to retrieve, pseudonymize and even delete user data, make sure they have the tools to do so. And remember that you’re in it together and maintaining a good working relationship will help you to collaborate and find solutions that will work.