You can't outsource your GDPR responsibility

Distinguished Engineer and Security CTO, IBM

In a series of blog posts, IBM is coaching businesses with recommendations on how to get into shape so they can thrive in the new data era.

In the era of the European Union’s General Data Protection Regulation (GDPR), an organization’s responsibility for personal data doesn’t end when it gets passed to others for processing.

Let’s take a retailer as an example. The retailer’s marketing team uses an email automation supplier to communicate with customers, and a customer relationship management (CRM) vendor to track engagement. Under the GDPR, their team must take steps to ensure that these third-party processors handle their customers’ data in line with the regulation.

In this situation, the GDPR refers to the retailer as the “controller” of the data relationship, and the suppliers as “processors.” The customers, if they are in the EU. are considered “data subjects.”

The coach’s take: "remember, if individuals’ data rights are not respected, they are empowered to pursue both controllers and processors."

Responsibilities of data controllers and data processors

The GDPR treats a data controller as the principal party in terms of responsibilities to individuals, such as collecting consent and enabling individuals’ rights to access their data. This means that an individual would contact the controller to initiate any data request, even if this data is being managed by a third-party processor.

The GDPR obliges the controller to demonstrate that the appropriate measures are in place to protect individuals’ personal data rights. The good news is that processors must submit to audits to make sure this is the case.

The coach’s take: “if you work with processors who don’t respect your customers’ data, you risk penalties yourself. This is only fair.”

Meanwhile, third-party processors are obliged to let controllers know if they believe instructions aren’t in line with the GDPR. Their other obligations include:

  • They are not allowed to use or mine customers’ personal data for their own purposes.
  • They must notify a controller when they learn of a GDPR breach.
  • They must delete or return all personal customer data when a contract ends.
  • They need your permission to use subcontractors and assume responsibility for any breaches by those subcontractors.

Use the GDPR to get closer to data processors

We recently wrote about how the GDPR is an opportunity to strengthen relationships with customers. It can also be viewed as an opportunity to build more transparent and, hopefully, constructive relationships with partners. It doesn’t need to become adversarial.

The coach’s take: “think about your contracts carefully. Every new data-processing agreement should be drafted in accordance with the GDPR.”

Examples of this include:

  • A well-managed, comprehensive assessment of the processor ecosystem for GDPR readiness, including the applications and tools they use, is an opportunity for both to demonstrate trust in one another.
  • Reviewing processors’ data protection certifications builds a picture of how seriously they take their responsibilities to a controller and its customers. Wouldn’t you want to know whether they’re a box-ticker or an enthusiastic data guardian?
  • Controllers and processors can and should work together to come up with compliance solutions and strategies. This might include putting in place processes for continually assessing, monitoring and optimizing compliance.

Respecting the GDPR spirit

In the age of the GDPR, close relationships with data processors are clearly needed and working with companies such as IBM to facilitate the journey can help. The most successful organizations will consider it a team effort to protect individuals’ data.

For more from the “Coach” take a look at the rest of this GDPR series.

Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.