When you share anyone’s personal information, UK data protection law sets out obligations and requirements that must be complied with. UK data protection laws derive from the European Union General Data Protection Regulation (GDPR).
We refer in this guide to ‘UK GDPR’ to reference the relevant data protection laws. Of course, if your business is international and/or you handle data belonging to EU nationals, you will still need to comply with both UK GDPR and the EU GDPR.
Here we look at how UK GDPR covers circumstances in which you are sharing someone’s personal data with a third party – known as a processor of that data.
In short – yes. During your evaluation of third-party providers, UK GDPR would expect you (as the ‘controller’ of the data) to consider the data protection angle from the start and to choose suppliers that design their products or services with data protection in mind.
You should also take care to reduce the amount of personal data that is shared with a third party to that which is necessary and consider whether it can be anonymised or pseudonymised (so that individuals can only be identified with the use of additional information).
Your contract with the processor should include the following:
Where you’re engaging with a sophisticated or well-known service provider, their contracts are likely to cover these points already.
Important note - if you are sharing data with a processor outside of the EU, or one of the other countries with an ‘adequacy decision’ – where the EU has determined that country does not meet its data protection standards – there are some very specific rules around the terms of the contract. Seek advice!
You should be able to demonstrate that you have undertaken appropriate due diligence on the processor prior to entering into a contract with them.
This should be proportionate to the nature of the processing with a greater level of due diligence taking place where there is significant levels of data processing or where sensitive personal data is being shared.
Consider what information you need to gather on the processor – is a site visit appropriate, do you need to test their systems, or request certain information be provide? Do you understand and have you considered the appropriateness of the security measures that the processor takes?
Your obligations don’t end when you enter into an agreement with a third party – you are also required to take steps to ensure your processor remains compliant on an ongoing basis.
The level of monitoring should be proportionate to the level of risk and/or the extent of the data processing taking place. Your contract would ideally include a provision allowing you to carry out an audit or at least receive a report on compliance, so take advantage of this from time to time to check that the processor is complying with the contract terms.
The consequences of a GDPR or UK GDPR breach can be serious – as well as fines being levied, the reputational risk can also have a significant consequence for businesses - there have already been some high-profile cases for breaches involving big names such as Google, Facebook and British Airways.
If there is a breach then individual data subjects can seek compensation from you. The Information Commission can also use a range of enforcement options, including issuing fines which can be significant for businesses of any size.
As always, it’s better to be safe than sorry – so seek legal advice to ensure you and any third parties you use are compliant.
Would you like to know more?