Third-party suppliers are a common concern for organisations getting their GDPR (General Data Protection Regulation) compliance in order. When the Regulation was first introduced, the issue of third-party suppliers and their relation to organisations’ own GDPR compliance received a great deal of attention. And rightly so – GDPR greatly extends the scope of responsibility for businesses. But there are some nuances to understand. Let’s take a closer look.
Which suppliers come under the scope of the GDPR?
The GDPR is focused on protecting personal data and giving individuals in the EU greater control and transparency over who has their data and what they do with it.
Any organisation that handles EU residents’ personal data must comply with the Regulation; as such, when assessing your compliance, you need to consider any suppliers involved in processing the personal data you hold.
For example, a third-party CRM (customer relationship management) provider that retains your customers’ contact details comes under the scope of your own GDPR compliance. While a design agency you’ve employed to undertake a company rebrand probably doesn’t.
What responsibility do I have regarding those third parties?
When you engage a third-party supplier to process or access personal data, that third party becomes a data processor – whereas you are the data controller. Under the GDPR, data controllers are responsible not only for their own compliance but also that of their processors.
Your first task is to vet your data processors to ensure they take the same stringent approach to compliance and data protection that you do. They should be able to demonstrate their own GDPR compliance strategy, and that they treat compliance as an active, dynamic process.
Next, the GDPR stipulates that a binding, written contract must be in place with your processor(s), setting out various terms and conditions to ensure GDPR compliance.
The ICO (Information Commissioner’s Office) details what that contract needs to cover:
- The subject matter and duration of the processing.
- The nature and purpose of the processing.
- The type of personal data and categories of data subject.
- The controller’s obligations and rights.
In other words, it needs to clearly cover the scope and purpose of the data processing you are handing over to third-party control.
The contract also needs to confirm, in writing, that your third-party supplier will act only on your documented instructions, that it will take appropriate security measures, that it will not contract a sub-processor without your prior approval, and that it will delete or return all personal data to you at the end of the contract.
Am I liable?
Liability, therefore, depends on a few things. First, is the third-party supplier a data processor? If so, then yes – their compliance with the GDPR comes under your own scope of liability.
Contracts are vital, ensuring that both parties understand their obligations, responsibilities and liabilities, as well as comply with the Regulation. If you don’t have a written contract in place with the supplier then you haven’t fulfilled your own responsibilities under the GDPR.
If the supplier signed a contract with you but failed to meet its obligations under the GDPR, it may be liable to pay damages or other fines. This also applies if your supplier hires its own third-party supplier to help process your data without your express approval and agreement. However, while any fines and damages will be payable by your supplier, you still have a responsibility to communicate what has happened to your data subjects, and empower them to make decisions about their data.
The GDPR creates complex chains of responsibility, and ultimately aims to protect data subjects, not organisations. The message regarding third-party suppliers is clear – choose them carefully, draw up robust contracts and ensure they take GDPR compliance seriously.
For more advice on third-party liability, speak to one of our experts. If you’re looking for an all-in-one solution for GDPR compliance, enquire about GDPR Manager – a tool that provides customers with the means to assess their data protection practices using a combination of four modules that relate to GDPR and BS 10012 compliance.