Grant McGregor Blog

GDPR, Outsourcing and Third-Party Data - what you need to know

Written by the Grant McGregor Team | May 21, 2018 1:59:06 PM

The business world is jittering in anticipation of May 25th, with marketing, payroll, HR, sales and IT departments all working diligently to make sure their own personal data protection policies meet the new Europe-wide legislative standard.

We've covered some different aspects of GDPR and Cyber Security in recent articles over the past few months in our Blog. 

But beyond your internal processes, how else can you ensure that your business won’t find itself open to a personal data breach as we fast approach the deadline?

Regardless of the industry, your external relationships with vendors, contacts, and suppliers are just as important, and as you tighten your own operation, it might pay to consider who else you do business with. As each one of these might require a separate data sharing agreement or clause.

How Can Other Companies Affect Me When It Comes To GDPR?

The majority of companies, startups, and sole traders frequently outsource certain tasks to other companies, software, and apps. It’s cheaper, more efficient and means that you don’t have to worry about the extra admin. But whilst leaving matters to the experts might make good business sense and free you up valuable time, when it comes to the meeting the new data guidelines, you could end up more vulnerable to fines.

So What Can I Do?

The first step is to create an outline of every company your business exchanges information with.

The second step is to locate any personal data you might be sharing with them.

Beyond the more traditional external suppliers, it’s now commonplace to hire a third-party to step in with a wealth of professional knowledge, completing certain tasks as needed. List everything from couriers to employee perks subscriptions, payroll software, and virtual assistants.

Although outsourcing is a fantastic resource, there can be a tendency to underestimate how many different businesses you interact with and just how much information you share with them. The more detailed data map you make the better, so try to leave some thinking space when you ask your colleagues for their input.

Looking to Delegate Your Data Processing? Consider Your Liability.

When the GDPR was announced back in 2016, larger companies initially reacted by thinking they could outsource their entire data handling process to a third party.

Problem solved? Well, not really. As it turned out, it's not that simple!

On the one hand, there is a certain logic in doing this. By delegating to experts, it should reduce the chance of data being mishandled, but this doesn’t mean your business is automatically bullet-proof.

Outsourcing your data processing is also a costly half-solution, and raises more questions:

• What happens if this third party is subject to a data breach?

• How does this affect apportioning blame when it comes to handing out fines?

According to the ICO, delegating the process doesn’t change anything.

If a third-party handling data crosses over - in any sense - with your business, then both companies will find themselves equally liable. You could potentially put yourself in a more vulnerable position, especially if you are paying to outsource, as opposed to training your own staff about data best practices.

This becomes even more relevant when considering the fact that data errors are largely down to humans making mistakes. A lost USB stick containing client data, a sensitive document emailed to the wrong person or failing to encrypt or password protect files - these situations can all be avoided if you spend time with your staff and make it clear what is expected of them with regards to GDPR.

The truth is it's still your responsibility as the data controller or processor.

Common Goals - Communicating Effectively with Your Third-Party Suppliers.

Whilst there are lots of training and consulting options to get your business GDPR ready, what about your external vendors, third party suppliers, intermediaries, and middlemen? With the rise of automation software and even outsourcing departments - what is the best way to tackle third-party risk when handling customer data?

• Move away from the “us and them” mindset.

Firstly, when considering third-party contracts, try not to think of internal data policies as “your problem” and third-party supplier’s data as “their problem”. This is the opposite of what this legislation wants to achieve. If you’re inclined to approach the GDPR using this framework, then you will end up with inadvertent gaps in your data handling processes.

• Don’t wait to find out which third-parties are taking data privacy seriously.

Looking at how your vendors are handling the run-up to the GDPR deadline can indicate how efficiently they are running their business as a whole. Ideally, your suppliers will come to you first, with a clear outline as to their definitive strategy. A reactive response indicates poor planning and even disregard to the value of your custom.

Gauge your supplier’s responsiveness and level of detail in their own process. A good third-party vendor will use the opportunity to highlight why you want to continue using their services.

• Cut ties with threats to your company data.

Whilst the GDPR brings a chance to reset and fine-tune your customer information, it is also the perfect opportunity to wheedle out your second rate and disorganised suppliers. If you view your client data as part of a supply chain, then the earlier you are able to remove emerging threats from this chain, then the safer your company data will be.

• Watch out for young, fast-scaling companies.

If a startup or small business grows too quickly, a brilliant app or software company might not have that same level of care when it comes to data privacy and general administrative processes. The best user experience might not be the most secure, so make sure to do your research.

• Be clear, and get everything written down once you set your expectations.

The aim is for clear overlaps in both your company and third-party data handling.

Once your own processes are in place, speak to each of your vendors and ask how they are choosing to map their own data. Once you have this all in place, agree your expectations and outline penalties if these expectations are not met. Make sure every process is clearly laid out. Get everything down, in writing.

Joint liability should equate to joint responsibility - the best protection practices will mean that you are taking extra steps to make sure that your documents and customer details are protected even after they travel out and away from your company.

The goal is to clearly understand who is the Data Controller and who is the Data Processor. Then the appropriate data sharing documents can be created to outline the responsibilities.

One other piece of useful reading we'd guide you to right now is the ICO's recent blog that busts some myths on the issue of consent and how it isn't a "silver bullet" for compliance. Perhaps you have a lawful basis for processing personal information?

The sky will NOT fall in on Friday. Enforcement comes into play and you may have to change some of the ways that you're currently working. But don't fall for all of the BS around GDPR. That date is when compliance starts, not ends.

If you're looking for some straightforward help and guidance around GDPR then please get in touch on 0808 164 4142.