You’re probably immersed in your own processes to ensure that your company complies with GDPR but have you considered the impact on your interactions with third parties? To maximise effectiveness, get the dialogue with them started as soon as possible. Here are eight ways your service provider relationship may be impacted:
GDPR encourages you to reduce the amount of personal data held or processed. This should ultimately lead to reduced storage requirements which may have significant implications for you and your service providers.
If you can’t reduce your personal data, anonymisation is a legitimate way to avoid the regulation. But before developing this approach, you need to be sure that your service provider’s systems and processes will be able to cope with anonymised data.
If personal data can’t be anonymised, GDPR recommends encryption and pseudonymisation. This may introduce cost and operational overheads and if you’re dealing with special categories of personal data (sensitive personal data) you may have no choice. Service providers will only invest in new technologies if they’re confident that customers will use them – an aligned approach is needed at least until standards emerge.
Under GDPR, you’re responsible for giving your data subjects clear and adequate information about how their information will be protected and how they can get it amended or deleted. But the systems and processes that enable that may be designed and controlled by your service providers. So don’t make commitments to data subjects until you’re sure that your service provider has the systems and processes to deliver them.
The Data Protection Act pretty much allowed customer and service provider to make contractual agreements regarding their obligations to each other. GDPR is much more about working together to meet the rights of data subjects. As data subjects often aren’t party to any contract, agreements between you and your service provider can only provide part of the solution.
Clearly you can offset some risk (for example, information security) through contractual warranties with service providers. However service providers will also seek contractual assurances, e.g. that all necessary consents have been secured from data subjects and that the data being processed does not involve minors or any special categories of personal data.
Armed with their expanded rights, data subject access requests are likely to become more common, so customers and their service providers need a seamless process if they are to respond in a compliant way within the stipulated timescales.
Previously the customer, as data controller, had prime responsibility for data protection. GDPR places the responsibility jointly on service providers and their customers. This introduces challenges which will only be met through better collaboration and communication to ensure that customers and service providers are working together effectively.