You’re probably immersed in your own processes to ensure that your company complies with GDPR but have you considered the impact on your interactions with third parties? To maximise effectiveness, get the dialogue with them started as soon as possible. Here are eight ways your service provider relationship may be impacted:

  1. Reduced data storage

GDPR encourages you to reduce the amount of personal data held or processed. This should ultimately lead to reduced storage requirements which may have significant implications for you and your service providers.

  1. Anonymisation

If you can’t reduce your personal data, anonymisation is a legitimate way to avoid the regulation. But before developing this approach, you need to be sure that your service provider’s systems and processes will be able to cope with anonymised data.

  1. Pseudonymisation

If personal data can’t be anonymised, GDPR recommends encryption and pseudonymisation. This may introduce cost and operational overheads and if you’re dealing with special categories of personal data (sensitive personal data) you may have no choice. Service providers will only invest in new technologies if they’re confident that customers will use them – an aligned approach is needed at least until standards emerge.

  1. Data protection processes

Under GDPR, you’re responsible for giving your data subjects clear and adequate information about how their information will be protected and how they can get it amended or deleted. But the systems and processes that enable that may be designed and controlled by your service providers. So don’t make commitments to data subjects until you’re sure that your service provider has the systems and processes to deliver them.

  1. Meeting the rights of the data subjects

The Data Protection Act pretty much allowed customer and service provider to make contractual agreements regarding their obligations to each other. GDPR is much more about working together to meet the rights of data subjects. As data subjects often aren’t party to any contract, agreements between you and your service provider can only provide part of the solution.

  1. Added contractual obligations

Clearly you can offset some risk (for example, information security) through contractual warranties with service providers. However service providers will also seek contractual assurances, e.g. that all necessary consents have been secured from data subjects and that the data being processed does not involve minors or any special categories of personal data.

  1. Handling access requests

Armed with their expanded rights, data subject access requests are likely to become more common, so customers and their service providers need a seamless process if they are to respond in a compliant way within the stipulated timescales.

  1. A deeper partnership

Previously the customer, as data controller, had prime responsibility for data protection. GDPR places the responsibility jointly on service providers and their customers. This introduces challenges which will only be met through better collaboration and communication to ensure that customers and service providers are working together effectively.

About the author

To get our advisers working seamlessly alongside your own team, email us or call 0844 5000 115