How to prepare for GDPR with third-party vendors
As the deadline for compliance with the EU’s General Data Protection Regulation (GDPR) approaches, it is critical to remember you are liable for the compliance of your vendor partners as well. We talked in a previous blog about big changes underway as companies and providers work to comply with the May 2018 enforcement date of the GDPR. Companies found to be out-of-compliance can expect large fines that could potentially put smaller companies out of business. For companies that collect or process data from parties in EU member states, the GDPR applies to your workflow and to any vendors or consultants who work with you. In other words, you are responsible for the activities and compliance of your third-party vendors as it relates to data from the EU. If you maintain accurate and up-to-date business agreements with your vendors, you are at a good starting point. Even at present, handling data from the EU requires compliance with the still-effective EU Data Protection Directive. If the GDPR applies to your business, and you have already built these protections into your vendor agreements, you must only update for the GDPR. If your vendor agreements are not already tight and compliant - or if you are operating on a boilerplate contract - you have your work cut out for you.
Create a compliant contract with your third-party vendors
The GDPR requires that controllers (your business) work only with data processors (or vendor partners) who guarantee compliance with the regulation. The legislation specifies the use of a written contract to formalize and define the responsibilities of the controller and the processor. Here are a few of the key points to address in your amended third-party vendor agreements:
- Clearly define the nature of services provided by the controller: The GDPR requires a definition of the subject matter, duration, and purpose of the data processing.
- Set forth the responsibilities of the processor: The contract must include specific points such as data security, work authority, access to data by the individual subject, notification of the breach to individual subjects, the timeline for deletion of personal data, audits, and, if you can believe it, even more.
- Data Protection Officer (DPO): As the voice of compliance in an organization, a DPO is required of all “public authorities,” and entities that process or monitor sensitive information on a large-scale on EU subjects.
If your business is subject to the GDPR and you are still in preliminary stages of identifying vendors in your network, it is important to drill into the details and create compliant contracts now. Are you ready?