Governing the Data Protection Practices of Third Parties
The imminent enforcement date of the GDPR has the technical world scrambling for compliance across all aspects of every enterprise. While many have begun to incorporate the guiding principles of "Controller" and "Processor" into their operational practices, some Controllers may not yet have considered how their Processor's Processors handle relevant data.
The new rules establish an obligation for almost every contracting element of the data management chain to keep private data private, including cloud hosts of services that may appear only peripherally, if at all, on the Controller's dashboard. Despite how they spread and delegate data security responsibilities, the rules still keep Controllers ultimately accountable for all privacy compliance, regardless of where in the chain they occur. Those Controllers who don't yet know who their Processors are working with risk significant penalties if those third-party vendors fail to achieve or maintain their GDPR compliance standards.
MARSHALING the Third-Party Vendors in Your GDPR Data Chain
Of course, the first entities to review for GDPR-relevant data-security practices are the front-line subcontractors, those companies that process any and all corporate data. Most of these entities will be evident based on how the company does its business. If it relies on a CRM service, uses email, or accesses automation vendors, the Controller of the company already knows the parameters of its gross Processor ecosystem. What may be missing is information relating to how those processors manage their business. If they, too, rely on yet another layer (or layers) of third-party vendors for any services that process consumer data generated at the Controller level, then they too fall under the umbrella of "Processor" for the purposes of the GDPR.
In this circumstance, any cloud host will almost certainly pop up as a concern. Cloud hosts provide not just processing services, but also operator services that are not subject to the GDPR, and they frequently employ data management capacities across international borders. Without an affirmative prod by their clients, many may assume that they are not considered Processors and therefore they won't implement a GDPR-compliant strategy. However, if they're wrong, the Controller (and its consumers) will ultimately pay the price.
Controllers, then, must actively assess and monitor not just their front-line vendors but also all down-line services vendors to ensure that the corporation manages all of its consumer data according to GDPR principles at all enterprise levels.
Cloud Hosts Offer Benefits, Challenges
By some estimates, cloud hosts have a better handle on data management because they literally have the duty to do so. These companies are (or should be by now) intimately involved with GDPR requirements and should be able to readily demonstrate compliance with the new rules.
Controllers who seek assurances that all aspects of their subcontractors are GDPR-compliant by "go day," including cloud hosts of any services that touch corporate data, should follow their data down these paths:
- Establish that security practices encompass all "personal" data. The GDPR requires that personal data that is processed outside the EU community be properly secured.
- If the data travels or is processed outside the EU, does that function happen in a country that has achieved "adequate" protection status according to EU standards?
- If the data moves to the U.S., does its recipient comply with the "Data Shield" standards agreed to by the U.S. and the EU? Companies that have achieved compliance with Data Shield standards are prepared to both host EU-generated data and prove that their data security protections meet the standards of the GDPR.