What to Ask Your Vendors About GDPR Compliance

Are Your Vendors Data Processors?

Vendor compliance management is a key starting point towards GDPR compliance. When your organization is deciding whether to use a vendor as part of your GDPR compliance efforts, you must follow GDPR vendor (processor) compliance management best practices.

As a controller, you determine the purpose and means for processing personal data. You have authority and decision-making over personal data and take on the responsibilities of a controller as outlined in the law. Any of your vendors that process personal data of EU data subjects will be defined as “processors,” or the natural or legal person who processes personal data on your behalf. Processing is essentially anything done to personal data, including storing, archiving, transmitting, compiling, erasing or reviewing. Determining which of your vendors process personal data under GDPR requires identifying which data elements from which data subjects are processed by each vendor – this is part of the process called “data mapping.”

Once you’ve determined which of your vendors must comply with GDPR, you must understand which GDPR requirements apply to processors. Articles 2-3, 5-23, 27-33, 37-39, and 44-49 all describe GDPR requirement specific to processors and must be followed in order to attain GDPR compliance. One way to contextualize processor requirements is by understanding the required contract elements for controller-processor relationships.

Contractual Agreements That Are GDPR Compliant

Contractual agreements are a major aspect of vendor compliance management. Article 28 describes processor requirements, including the requirement to establish a contractual relationship between controllers and processors, and provides details on what components must be included in contractual agreements. The European Commission or Member State supervisory authorities may adopt standard contractual clauses for certain matters, but contractual agreements between controllers and their processor vendors must be in writing and stipulate the following:

  • The subject-matter, duration, nature, and purpose of the processing activities
  • The type of personal data included in processing activities
  • The categories of data subjects included in processing activities
  • The obligations and rights of the controller
  • The processor will only process personal data based on documented instructions from the controller
  • The processor ensures that persons authorized to process personal data have committed themselves to confidentiality
  • The processor takes all measures required for the security of processing (Article 32)
  • The processor respects the conditions for engaging another processor – specifically, prior notice to controllers and the opportunity for controllers to object
  • Taking into account the nature of the processing, the processor must assist the controller by implementing appropriate technical and organizational measures, as a part of the controller’s obligation to data subjects’ rights
  • The processor assists the controller in ensuring compliance with the obligations of Articles 32-36, which includes security of processing, data breach notification to supervisory authorities and data subjects, and data protection impact assessments
  • At the choice of the controller, the processor must delete or return all personal data to the controller after the end of the completion of services relating to processing, and deletes existing copies unless EU or Member State law requires the storage of the personal data
  • The processor makes all necessary compliance information available to the controller
  • The processor will allow for and contribute to audits conducted by the controller

If you’re reading this and thinking, “I’m a processor. What should I do to show I’m a GDPR compliant vendor?” then you should go through the list of items required in each contract between controllers and processors to identify whether you can comply with each of the requirements. By using the contractual requirements as a guideline for GDPR compliance, not only will you reduce your risk of regulatory fines, you will also gain a competitive advantage by proactively pursuing GDPR compliance. By demonstrating that you meet the needs of GDPR compliant contractual agreements, you can provide controllers with the assurance they need.

If you are a controller, there are at least two questions to ask and answer for processor oversight: 1) Have you updated your contracts ensure that each agreement contains all of the GDPR required elements? 2) Are you following vendor compliance management best practices to ensure that processors are fulfilling their contractual and regulatory obligations?

For more information on GDPR compliance and vendor compliance management, contact us today.

More GDPR Resources

Are You Controller or Processor?

Whose Data is Covered by GDPR?

The Cost of GDPR Non-Compliance: Fines and Penalties

Who’s Enforcing GDPR?

There’s no doubt that GDPR has brought its fair share of challenges into the world of data privacy. GDPR was specifically designed to impact businesses across the globe, not just European Union Member States. It’s ultimate goal, though, is to reduce regulatory differences in order to make data protection laws more consistent and make businesses more transparent.

Part of the innovativeness of GDPR is, in order to work as it’s intended to, the law needs a collaboration of all participants. This includes data subjects, controllers and processors, data protection officers, supervisory authorities, the European Data Protection Board, and the European Commission. With so many players in the game and such a broad territorial reach, how do you know how they function together and who’s enforcing GDPR? Let’s start at the top.

The European Commission

The European Commission proposes and implements laws that align with the objectives of EU treaties, meaning that it created the rules for the protection of personal data for the EU.

If you want to look at where GDPR began, you must go back to 1995, when the Directive 95/46/EC was given to regulate the processing of personal data in a fair and lawful manner; “fair” meaning you must tell data subjects what you’re doing with their personal data and “lawful” meaning you must comply with data subjects’ rights. But then technology and the way we share and collect data changed. The 1995 directive, like many other laws and regulations, needed updating. In 2012, the European Commission proposed data protection reform to replace Directive 95/46/EC and about three years later, in December of 2015, the European Commission agreed on a final draft of the GDPR, paving the way for adoption by the European Parliament. On May 25, 2018, GDPR officially took effect and became an enforceable law.

When the European Commission needs advice or has questions about the protection of personal data, it goes to the European Data Protection Board for answers and recommendations.

European Data Protection Board

When GDPR went into effect, a major regulatory development was the establishment of the European Data Protection Board (EDPB). The EDPB has replaced the Article 29 Working Party (WP29) as the regulatory body and legal personality of GDPR but has similar membership. In fact, the EDPB has adopted much guidance from the WP29, such as topics like data protection officers, transparency, consent, and portability.

Moving forward, the EDPB will now be the source for GDPR guidance. The EDPB will have a more comprehensive purpose than the WP29, and it will be more likely to obtain feedback from the public during the course of developing guidance.

Article 70 defines the tasks of the EDPB, which include issuing guidelines and recommendations, advising and communicating with the European Commission, and ensuring consistency of the application of GDPR.

EU Member States

It’s up to each of the EU Member States to develop their own guidance around GDPR and supervise the application of the law within their territory. Because the GDPR’s scope is spread between 28 EU Member States, it gives Member States some opportunity to make adjustments for how it applies in their country. For example, the UK’s Data Protection Act 2018 recently received the Royal Assent, which works with GDPR to form new data protection principles. This act modernizes data protection laws and the Information Commissioner’s Office recommends that the Data Protection Act 2018 and GDPR be read side-by-side.

As of May 25, 2018, each of the 28 EU Member State has designated a supervisory authority to be responsible for monitoring the application of GDPR within its territory.

Supervisory Authorities

Articles 51-59 require that each EU Member State designate an independent, public authority to be responsible for monitoring the application of GDPR and addressing non-compliance, known as a supervisory authority or data protection authority (DPA). Supervisory authorities’ main purpose is to protect personal data. Supervisory authorities, although there are 28 of them, play a central role in consistent application of GDPR.

As part of Article 31, controllers, processors, and their representatives must cooperate and support supervisory authorities in the performance of tasks. Supervisory authorities are generally tasked, within their territory, to do the following:

  • Monitor and enforce GDPR
  • Promote public awareness on data subjects’ rights and risks
  • Promote awareness to controllers and processors of their obligations
  • Handle and investigate complaints
  • Cooperate with other supervisory authorities
  • Document infringements and the corrective actions given
  • Investigate the application of GDPR in the form of data protection audits and reviews
  • Exercise corrective and advisory powers

In general, the main contact point for questions or topics on personal data protection is the supervisory authority in the EU Member State where the controller or processor is based. For example, a controller or processer based in France would report to the National Commission of Computing and Freedoms in France. However, if there is cross-border processing, the supervisory authority of the main establishment acts as a lead supervisory authority.

Because GDPR is a law and not an information security or privacy framework, we’ve heard the question of “who’s enforcing GDPR?” a lot. Data subjects, controllers and processors, supervisory authorities, the European Data Protection Board, and the European Commission must work together to implement and enforce GDPR, to make data protection law more consistent, and encourage businesses to be more transparent.

Do you know who the supervisory authority in your Member State is? Do you have a DPO? Have more questions about controllers and processors? Contact us today to find the answers you need.

More GDPR Resources

10 Key GDPR Terms You Need to Know

Are You Controller or Processor?

Whose Data is Covered by GDPR?

Which GDPR Requirements Do You Need to Meet?

Privacy Policies Built for GDPR Compliance

Updating Your Privacy Policy for GPDR Compliance

Privacy policies are critical to GDPR compliance efforts, as this statement or notice explains how an organization handles personal data. We know that in order to comply with GDPR, a privacy policy should be concise and written in clear, plain language. However, in the weeks since GDPR became enforceable, many privacy policies are not meeting these requirements. This may be due to organizations rushing to create what they believe to be GDPR-compliant privacy policies but has resulted in quite the opposite. We’re seeing privacy policies that have a higher reading level, longer word count, and longer reading time, making them much more difficult to understand than before GDPR when into effect. So, what specific elements should a GDPR-compliant privacy policy include to avoid these pitfalls?

What Should GDPR-Compliant Privacy Policy Include?

According to Article 13 under Section 2 of GDPR, “Information and Access to Personal Data,” states the required information that should be provided when personal data is collected from a data subject. Following Article 13’s guidance and others, we’ve compiled a checklist that will give your organization over 20 items to consider when creating or updating your privacy policy in order to help guide you toward a GDPR-compliant privacy policy.

To ensure fair and transparent processing, the law states that privacy policies must demonstrate the following:

  • Identify the data controller
  • Identify the data protection officer
  • Define the purposes of processing
  • Define the legal basis for processing
  • When “legitimate interests” are your legal basis for processing, describe the legitimate interests for processing
  • Describe the recipients or categories of recipients of personal data
  • If applicable, identify any intent of international transfers of personal data
  • If applicable, identify safeguards for international transfers of personal data
  • Define the data retention period
  • Describe data subjects’ right of access to personal data

Want the full checklist?

The Cost of GDPR Non-Compliance: Fines and Penalties

The EU’s General Data Protection Regulation (GDPR) is a top regulatory focus, and for good reason. Organizations across the globe are mapping their data, updating their privacy policies, updating contracts, reviewing their data collection processes, and trying to figure out whether they are data controller or processor – all to avoid the severe consequences of GDPR non-compliance. Not only are the requirements and scope for this data protection law extremely broad, but the fines and penalties that organizations could face for GDPR non-compliance are unlike any fines and penalties imposed by a regulatory body before.

GDPR Fines and Penalties

Organizations who have grown used to being slapped with minor fines for data breaches or misusing consumers’ data will no longer be able to put the security and privacy of their consumers’ data on the back burner. To gain GDPR compliance, organizations who market, collect, use, or store consumers’ personal data must make the security and privacy of consumers’ data a top priority, or be faced with the severe consequences of GDPR non-compliance. GDPR is equivalent to a US Federal Law, and GDPR non-compliance can lead to fines of up to €20 million or 4% of annual global turnover – whichever is greatest.

For example, Hilton – one of the largest hotel and resort chains in the world – was fined a mere $700,000 for a data breach that caused the information of 350,000 cardholders to be exposed. That’s a fine of just $2 per person affected by the breach. Considering that Hilton’s annual global turnover for the previous year was $10.5 billion, the company could have been fined a maximum of $420 million for the breach under the GPDR’s harshest fine. That’s a fine of $1,200 per person affected. For data controllers like Hilton, as well as data processors, understanding the consequences of GDPR non-compliance is crucial. A $700,000 fine for Hilton presumably didn’t impact the organization much, but a $420 million fine would have had much more severe implications.

Want to learn what fines and penalties will be enforced for GDPR non-compliance? Need to know what to do if your organization violates multiple GDPR provisions? Ready to learn what your organization can do to reduce the maximum fines?

Download the full report.

10 Key GDPR Terms You Need to Know

The most common questions we receive regarding GDPR compliance are all related to terms and definitions. Controllers, processors, processing, sub-processor, joint controller, controller-processor – there’s so many complicated, similar GDPR terms. If you’ve been confused by what terms mean and which definitions are vital to the compliance process, you are not alone. What’s your organization’s role? Who enforces GDPR? What kind of data is covered under the law? What kind of person is covered under the law? Understanding key GDPR terms will help you be able to answer these important questions and help you begin your GDPR compliance journey.

Key GDPR Terms Defined

Perhaps two of the most ambiguous terms associated with GDPR are data subject and personal data. Let’s take a look at what each of these terms mean.

Data Subject: Some may assume that “data subjects” means EU citizens, but the explicit language of the law applies to processing the personal data of “data subjects in the Union” which could cover tourists, non-citizen residents, international students, and much more. Because GDPR uses informal descriptions for the term “data subject,” the public has been left with varying interpretations and significant challenges. We generally see five definitions proposed for data subjects:

  1. A person located in the EU,
  2. A resident of the EU,
  3. A citizen of the EU,
  4. An EU resident/citizen physically located anywhere in the world, or
  5. A person whose personal data is processed within the EU, regardless of that person’s location.

Organizations should closely monitor regulatory and legal developments related to the definition of “data subject.”

Personal Data: Per Article 4(1), personal data is any identifiable information related to a data subject. For example: name, geographic location data, email address, IP address, photographs, video or voice recordings, biometric data, or an online identifier of the specific physical, physiological, genetic, mental, economic, cultural, or social identify of a data subject.

Download the full list of key GDPR terms.