GDPR compliance and provider control in 4 steps
The hiring of providers with access to personal data owned by our company is an undeniable fact and, over time, has been consolidated and expanded to include any type of organization, from the smallest to the largest. Therefore, some steps must be followed for GDPR compliance and provider control.
In April’s post we focused on the difference between this access to data and the transfer of data to third parties (nothing to do with each other). Today, however, we want to expand on this and give to you the keys to understanding what to do to comply with the GDPR when a provider has access, for example, to the data of our customers, employees, leads, etc. By following these steps and asking these questions, you will be able to have a correct GDPR compliance and provider control.
Before this, however, some of the common cases of providers with data access are:
- CRM or ERP applications or softwares hosted in the cloud.
- Platforms for sending and managing email marketing campaigns.
- External backups.
- Employee time control applications or programs.
- Computer maintenance services.
- Labour management.
So let’s go through the 4 steps that must be followed to ensure access to the data by these providers, among others, complies with the GDPR:
- Clearly specify the data they can access and for what purpose.
One of your essential tasks as data controller is to ensure that these providers (data processors) access only the necessary data to provide the service and that the purpose of such access to the data is clearly identified. Providers, therefore, will never be able to access more data than they need to provide the service or exceed the purpose for which they have been given access to the data.
- Check the location of the provider and, more importantly, whether they outsource part of the contracted service
Very important. When reviewing compliance with the GDPR by the provider, you must ascertain the location from which they provide the service and, therefore, “where” the personal data to which they have access will go. Procurement of providers from outside the EU has special requirements (see Point 3).
Also, find out whether the chosen provider subcontracts part or all of its services, and again, where these subcontractors are located. As the controller, you must know the subcontractors and also authorize subcontracting by contract.
- Providers outside the EU.
Globalization in the provision of services, especially digital, has made it possible for them to be provided from virtually anywhere in the world. What is easy for business can also be a challenge for compliance with the GDPR because it may, in practice, mean that personal data is hosted outside the EU. This fact, which is not forbidden, does imply that you must have or meet special requirements. Again, it depends on where this provider is located and, based on that:
- If it is located in what is considered an appropriate territory by the European Commission, treat the provider as if it were established within the EU.
- Otherwise, the most common thing will be to have the provider sign one of the model contracts prepared by the EU for this purpose.
4. Ensure that you apply security measures.
The application of appropriate security measures to the type of data processed is one of the basic obligations of data controllers. In this sense, it is usually common practice for processors to complete provider questionnaires to verify compliance with regulations.
This is a widespread and useful practice in this regard. The measures range from the duty to report security incidents, keeping an up-to-date record of activities to the need to carry out an adequate risk analysis on the data processed. Measures must be tailored to each type of provider and process.
Last but not least: you must check that the relationship with the provider is regulated in a written contract or under certain conditions, which include at least the four points detailed above.
The absence of a contract, in addition to implying a breach of the GDPR, is a clear risk for both parties when it comes to clearly delimiting the responsibilities of each one in the processing of personal data.
If you need more information about this or any other issue, please don’t hesitate to contact us:
Information on data protection
LEGAL IT GLOBAL 2017, SLP
Providing the service.
Sending the newsletter.
Compliance with the service provision.
Your data will not be shared with any third party, except service providers with which we have signed a valid service agreement.