Third-party suppliers are a common source of confusion for organisations considering their GDPR (General Data Protection Regulation) compliance requirements.
When the Regulation was first introduced, the issue of third-party suppliers and their relation to organisations’ own GDPR compliance received a great deal of attention.
And rightly so – GDPR greatly extends the scope of responsibility for businesses. But there are some nuances to understand. Let’s take a closer look.
Which suppliers are in scope of the GDPR?
The GDPR is focused on protecting personal data and giving individuals in the EU greater control and transparency over who has their data and what they do with it.
Any organisation that handles EU residents’ personal data must comply with the Regulation; as such, when assessing your compliance, you need to consider any suppliers involved in processing the personal data you hold.
For example, a third-party CRM (customer relationship management) provider that retains your customers’ contact details comes under the scope of your own GDPR compliance.
While a design agency you’ve employed to undertake a company rebrand probably doesn’t.
What responsibility do I have to third parties?
When you engage a third-party supplier to process or access personal data, that third party becomes a data processor – whereas you are the data controller.
Under the GDPR, data controllers are responsible not only for their own compliance but also that of their processors.
Your first task is to vet your data processors to ensure they take the same stringent approach to compliance and data protection that you do.
They should be able to demonstrate their own GDPR compliance strategy, and that they treat compliance as an active, dynamic process.
Next, the GDPR stipulates that a binding, written contract must be in place with your processor(s), setting out various terms and conditions to ensure GDPR compliance.
The ICO (Information Commissioner’s Office) details what that contract needs to cover:
- The subject matter and duration of the processing.
- The nature and purpose of the processing.
- The type of personal data and categories of data subject.
- The controller’s obligations and rights.
In other words, it needs to clearly cover the scope and purpose of the data processing you are handing over to third-party control.
The contract also needs to confirm, in writing, that your third-party supplier will act only on your documented instructions, that it will take appropriate security measures, that it will not contract a sub-processor without your prior approval, and that it will delete or return all personal data to you at the end of the contract.
Am I liable?
Liability, therefore, depends on a few things. First, is the third-party supplier a data processor? If so, then yes – their compliance with the GDPR comes under your own scope of liability.
Contracts are vital, ensuring that both parties understand their obligations, responsibilities and liabilities, as well as comply with the Regulation.
If you don’t have a written contract in place with the supplier then you haven’t fulfilled your own responsibilities under the GDPR.
If the supplier signed a contract with you but failed to meet its obligations under the GDPR, it may be liable to pay damages or other fines.
This also applies if your supplier hires its own third-party supplier to help process your data without your express approval and agreement.
However, while any fines and damages will be payable by your supplier, you still have a responsibility to communicate what has happened to your data subjects, and empower them to make decisions about their data.
The GDPR creates complex chains of responsibility, and ultimately aims to protect data subjects, not organisations.
The message regarding third-party suppliers is clear – choose them carefully, draw up robust contracts and ensure they take GDPR compliance seriously.
You can find more advice about third-party liability under the GDPR by speaking to one of our experts.
Meanwhile, if you’re looking for specific solutions to help you meet your GDPR compliance requirements, you should take a look at our GDPR Manager service.
This tool provides customers with the means to assess their data protection practices using a combination of four modules that relate to GDPR and BS 10012 compliance.
A version of this blog was originally published on 25 June 2019.