In our previous articles, we took an in-depth look at how the upcoming new European General Data Protection Regulations will affect the specific operations of automated email marketing. This included how personal data was collected, held, and ultimately used. In the following article, we will explore how business operations that use or operate third-party websites, share information, or link with such sites will be affected.
As a rule of thumb, if your business shares personal data or shares someone else’s data, it is likely to also share the responsibility for it. In its simplest terms, this means that the information shared in either direction will come within the remit of the new regulations and so will any business that handles it.
Under the new regulations, there is a clearer determination concerning the different functions that collectors, holders, and processors of personal data actually carry out. Bearing this in mind, it isn’t sufficient that businesses have their own end sorted; they must also ensure that any third party client’s that they use are also fully compliant with the new regulation.
In most cases, businesses that use a third party vendor, will, in fact, be using a data processor. This could involve anything from supplying email addresses to automated list building platforms and that is likely to affect a huge number of eCommerce and web-based businesses. There is some “blurring”, however, between the activities of processors and controllers in the area of data controlling because there may be an overlap. The bottom line is, however, that by leaving your data handling to a third party, your business doesn’t gain any immunity from the regulations or the potential penalties of non-conformity.
Any entity that processes data on behalf of a controller or client (your business) could arguably be seen as a third party processor under the GDPR. It follows, therefore, that although the roles of the two entities are separate, they would both be culpable in their responsibilities for the security and availability of the data.
The relationship between controllers and third-party processors
The GDPR identifies any party who has control of data as a “data controller”. Businesses operating platforms or software that manages client databases, email services, customer relationship management systems, and many more will fall into this category and therefore also the remit of the new regulations.
Despite the possible ambiguity surrounding who is responsible for the different components in the data handling process, business experts are in agreement. They predict that the data controller (the entity making end use of the data) is responsible for ensuring that the third party vendor is in compliance with the GDPR.
From SaaS (software as a service) to online data collection platforms, they will all fall within the remit of the new regulations and that means the businesses that use them have data responsibilities.
Many of the well-known and frequently used third-party vendors that fall within the remit of the new GDPR are already stating that they are either fully compliant or well on the way to it. That is the good news, but the data controllers and businesses that use such services could still be culpable in the event of an data security breach. Many of the key players including Mail Chimp, Salesforce, Hubspot, Constant Contact, and others are reporting that their systems are now protected by systems such as Privacy Shield.
Reputable vendors such as these and others are also facilitating knowledge bases, compliance checklists, and sections concerning the GDPR compliance on their platforms for the benefit of clients.
Experts are predicting that although cloud-based facilities will present their own specific challenges, such services may actually provide some distinct advantages over conventional server-based storage.
It is no big secret that cloud-based third-party data storage already has something of a “heads up” over some of the other industry players in meeting the challenges of keeping personal data secure. Thanks to the issues that such companies have addressed over the years, these third-party data handlers already have facilities built in to comply with both the request of data subjects and any data breaches.
If your business intends to or already does use the services of a third party data handler, sitting on your hands and trusting them to have it all sorted may not be enough to keep you fully protected. Staying informed and talking to your existing or prospective vendors concerning their GDPR compliance is a “must do”. As we have already pointed out, experts are predicting that because you either have part or full ownership of the data, your business will ultimately carry the burden of responsibility for it.
In what follows we have listed a useful checklist of steps you may want to take to ensure that you remain compliant when using a third party website or data handler for your data collection, holding, or handling.
Whether you are considering venturing into the world of third-party data handling for the first time or you have been working with an established vendor for a while, it really is good to talk. All of our online businesses are used to displaying everything from our T’s & C’s to policies and procedures on our web pages. It is the missing information, however, that often proves to be the most crucial in the event of any issues.
Where compliance with the GDPR is concerned, it cannot be too strongly emphasised how important third-party data handlers, processors, and controllers are to your business.
Through frank and open dialogue with your third-party vendor, you can go a long way in reaching mutual assurance that both parties are in fact working towards the same goals.
Along with frank and open dialogue, ascertaining that your potential or existing vendors have the correct certification is probably one of the best guarantees your business could have for compliance. During the transitory period at least (before May 25th, 2018), your business may want to consider working with vendors that are at least able to display their potential compliance. In such circumstances, however, predicted compliance dates and a “pencilled in” revisit to check for a full resolution would also be prudent.
One of the positive fallouts from the whole GDPR is that it is already forcing businesses and third-party vendors to look at the area of data collection, holding, and handling in new ways. With shared ownership also comes shared responsibilities for the data and towards the data subjects. Bearing in mind that the whole revamp has been driven by a perceived need for improved rights for the individual (data subjects), the main ethos of the regulations ought to be geared towards them. This calls for closer working relationships between the client and the third-party vendors, and that looks set to be happening more and more.
With the deadline for compliance looming large on the digital marketing horizon, most third-party vendors will, by now, have already overhauled the nuts and bolts of their data systems. This has meant far more than simply ensuring compliance through the acquisition of a certificate. It has called for a total revamp of how data is handled and processed not least in the areas of hard evidence of permissions and access by the data subjects themselves.
This has led, almost by default, to massively improved tools and systems right across the third party vendor business remit and it is probably only the beginning. If you thought it was “all over” and the dust was now going to settle, the chances are that your thinking may prove to be in error. The General Data Protection Regulation provide one answer to one specific area of concern in the rapidly evolving digital landscape. It would be remiss of online businesses and eCommerce marketers to imagine that the story is likely to end there and new challenges are sure to be met with further innovations.
As always, this, our fourth in a series of 5 articles were created with the aim of providing businesses with some valuable insights into the upcoming GDPR’s and how they will affect them. More importantly, our express wish is that our readers might take away at least some part of the above that is relevant to their own business.
After taking an overview of the new legislation, exploring how it is likely to affect specific businesses, and then looking at third-party vendors, in our final article we will be taking a closer look at data requests. From data subject request to possible data privacy breaches, in our next and final article (in this series) we will investigate how the processes are instigated. We will also offer suggestions concerning how your business may fulfil its obligations and responsibilities in those areas, so please come back and visit us again soon.