1. Am I responsible for ensuring my third party data processors comply with data protection law?
In short – yes. During your evaluation of third-party providers, UK GDPR would expect you (as the ‘controller’ of the data) to consider the data protection angle from the start and to choose suppliers that design their products or services with data protection in mind.
You should also take care to reduce the amount of personal data that is shared with a third party to that which is necessary and consider whether it can be anonymised or pseudonymised (so that individuals can only be identified with the use of additional information).
2. What contracts should I have with suppliers who process personal data?
Your contract with the processor should include the following:
- An obligation that the processor must:
- only act on the controller’s documented instructions, unless required by law to act without such instructions;
- ensure that people processing the data are subject to a duty of confidence;
- help the controller respond to requests from individuals to exercise their rights;
- submit to audits and inspections.
- The technical and organisational security measures that the processor must adopt (including encryption, pseudonymisation, resilience of processing systems and backing up personal data in order to be able to reinstate the system).
- Clauses to make sure that the processor either deletes or returns all personal data to the controller at the end of the contract. The processor must also delete existing personal data unless the law requires its storage.
- Clauses to make sure that the processor assists the controller in meeting its UK GDPR obligations regarding the security of processing, the notification of personal data breaches and data protection impact assessments.
- Details of the Processing taking place which include such as the categories of data subjects, the types of personal data to be processed, what the processing is for and for whole long.
Where you’re engaging with a sophisticated or well-known service provider, their contracts are likely to cover these points already.
Important note - if you are sharing data with a processor outside of the EU, or one of the other countries with an ‘adequacy decision’ – where the EU has determined that country does not meet its data protection standards – there are some very specific rules around the terms of the contract. Seek advice!
3. How thoroughly must I check that a third party data processor is compliant?
You should be able to demonstrate that you have undertaken appropriate due diligence on the processor prior to entering into a contract with them.
This should be proportionate to the nature of the processing with a greater level of due diligence taking place where there is significant levels of data processing or where sensitive personal data is being shared.
Consider what information you need to gather on the processor – is a site visit appropriate, do you need to test their systems, or request certain information be provide? Do you understand and have you considered the appropriateness of the security measures that the processor takes?
4. What should I do to monitor a third party’s compliance with UK GDPR?
Your obligations don’t end when you enter into an agreement with a third party – you are also required to take steps to ensure your processor remains compliant on an ongoing basis.
The level of monitoring should be proportionate to the level of risk and/or the extent of the data processing taking place. Your contract would ideally include a provision allowing you to carry out an audit or at least receive a report on compliance, so take advantage of this from time to time to check that the processor is complying with the contract terms.
5. What happens if a breach of UK GDPR takes place?
The consequences of a GDPR or UK GDPR breach can be serious – as well as fines being levied, the reputational risk can also have a significant consequence for businesses - there have already been some high-profile cases for breaches involving big names such as Google, Facebook and British Airways.
If there is a breach then individual data subjects can seek compensation from you. The Information Commission can also use a range of enforcement options, including issuing fines which can be significant for businesses of any size.
As always, it’s better to be safe than sorry – so seek legal advice to ensure you and any third parties you use are compliant.
Would you like to know more?
Thrings Commercial team helps businesses thrive by providing practical business advice from commercial specialists.
