In the seventh of a series of posts on the General Data Protection Regulation (GDPR), which comes into force from May 25th, 2018, I’m looking at the implications of GDPR for your vendor management.
Here’s what you need to know:
Who does this apply to?
This aspect of GDPR applies to any data controller – defined as a body that “determines the purposes and means of the processing of personal data.” – that outsources data collection or processing. So, if you use data but employ another company to handle or collect it, then this applies to you. Under GDPR, the data controller is explicitly responsible for ensuring that vendors handle personal data properly.
Be careful when outsourcing
The onus is on you to ensure compliance, so you must be very careful when selecting a vendor to handle your data. GDPR suggests that you should carry out a data protection impact assessment prior to selecting a vendor and that this is particularly important when sensitive personal data is involved. It would also be prudent to assess existing vendors in the same way, to ensure their activities comply with GDPR.
You must also be wary of your vendor sub-contracting any data handling work. This can only be done with your specific consent and any sub-contractor must also abide by all the regulations laid out in GDPR.
Draw up a contract
You must draw up a contract with your new vendors that has specific clauses relating to GDPR and sets out liabilities and responsibilities. With current vendors, it’s wise to look at your existing contract and, if necessary, agree new terms and conditions. Be aware that this may require you to renegotiate commercial terms to cover increased compliance costs and greater risks.
• This applies to you if you outsource any data collection or processing work
• You must ensure new and existing vendors are compliant
• You must draw up vendor contracts with specific clauses relating to GDPR