Two decades back, no one would have anticipated the amount of digital content we create, consume, share, monetize, and use across the globe. So why should we still follow a 1995-based data protection directive? Keeping in mind this incongruity of laws and the mind-boggling ways in which data is used today, Europe’s policymakers have come up with the General Data Protection Regulation (GDPR), which is to come into effect from 25th May 2018.
What GDPR means for your third-party data processors?
Under this, any third-party processor you use has to comply with the new law. Thus, entities or companies that act as ‘controllers’ or ‘processors’ of Personally Identifiable Information (PII) will be liable to comply with the GDPR rules. PII is anything that identifies a person (name, IP address etc.).
The law will be more pronounced for the controller of data (an entity that regulates or determines how the processed data will be used). Controllers will now have to be more alert when choosing their vendors and dealing with them. Managing them the right way will constitute a major part of the compliance process.
The process becomes quite a task in a field like MarTech, where there are several applications and vendors working seamlessly to yield digital marketing outcomes. Hence, it becomes all the more important for MarTech companies to look at the overall vendor ecosystem, the tools used, the compliance in place, and how they play out in a ‘large picture’ scenario.
Third-Party Vendors – How they can gear up for GDPR?
Third-Party vendors will need to ensure a bare minimum compliance for these aspects –
1 – Updating the data processing agreements.
2 – Add GDPR rules to their knowledge repository to ensure organization-wide compliance.
3 – Keep the customers notified about the changes that will entail in their relationship due to the GDPR coming into force in less than 6 months.
4 – Keep checklists and templates ready for better operations-level compliance.
Other data processors like Hubspot and Salesforce have certified with Privacy Shield, and have notified their goal to comply with the GDPR rules.
Your duty as a controller just became more vital
As a controller of data, you need to ensure that the vendor you are working with complies fully with the GDPR norms. You need to thoroughly vet new vendors, so that your overall data protection compliance doesn’t set off red flags. You need to ensure that they have the required certifications in place.
You may also interact with them to understand how they intend to comply with the GDPR laws. The degree to which they have been vocal about their intention in the interaction will tell you about their readiness to comply with this regulation. Check if they have the processes, tools, and practices in place to retrieve old data, or delete data that isn’t conforming to the GDPR regulations.
Remember that both of you are in it together. Hence a strong collaborative spirit and mutual understanding will help to iron out any issues in the third-party processing of data under the GDPR norms.