How to work with third party solution provider under GDPR?

What should I do if I use third party solutions to handle data under GDPR? Can I work with third party solutions outside of the EU under GDPR? Yes, as long as these third party solutions adhere to GDPR guidelines on data processing and storage. Personal data can only be transferred outside of the EU […]

Table of contents

What should I do if I use third party solutions to handle data under GDPR?

  1. Make a list of all the third party cloud solutions you currently use.
  2. Map out the path of your data during the lifecycle of the process to ensure adequate level of security at every step.
  3. Assess the level of risk you could pose to individuals should your data be compromised.
  4. Determine whether you need to appoint a Data Protection Officer.
  5. Review all your contracts to understand where your data and applications are stored and whether your data is ever processed out of the EU.
  6. Include strict confidentiality, data privacy and data residency clauses in your contract.
  7. Ask your solution providers, especially those based outside of the EU, whether they are compliant with the GDPR regulation.
  8. Start evaluating and planning the switch to GDPR compliant solution providers if your current solution providers do not have plans to be GDPR compliant by next May.

Can I work with third party solutions outside of the EU under GDPR?

Yes, as long as these third party solutions adhere to GDPR guidelines on data processing and storage. Personal data can only be transferred outside of the EU to countries that satisfy the adequacy requirement or if you can assure an adequate level of privacy protection through Binding Corporate Rules.

What are Binding Corporate Rules (BCRs)?

Binding Corporate Rules are the EU gold standard for data privacy. BCRs allow multinational companies to transfer personal data from the European Economic Area (EEA) to their affiliates located outside of it, which do not ensure an adequate level of protection. The BCRs must be in line with the requirements of the Article 29 Working Party (on BCR):

  • Privacy principles (transparency, data quality, security…)
  • Tools of effectiveness (audit, training, complaint handling system…)

To ensure approval for their BCRs, companies must choose a lead data protection authority to approve BCRs and coordinate securing approval from other relevant data protection authorities.

The 12 questions you should ask your third party solution providers for GDPR?

  1. Where are your data and applications stored?
  2. Is that data ever moved out of the EEA?
  3. Do you ever transfer data between data centers outside of the EU?
  4. Do you always inform me when my data is being transferred?
  5. Do you have a Data Protection Officer?
  6. What data controls and risk management processes do you have in place?
  7. How do you manage the version release process on your platform to ensure adequate level of data protection?
  8. Who can access my data, under what circumstances and what can they see? Is this access tracked?
  9. Can I audit your security and technical measures on the protection of data?
  10. Do you have in place a security breach notification process?
  11. Do you currently adhere to Binding Corporate Rules?
  12. Do you have measures in place to become GDPR compliant in time for May 2018?