• CUSTOMER LOGIN
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • CUSTOMER LOGIN
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • CUSTOMER LOGIN
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • PARTNERS LOGIN
  • CONTACT US
  • PRIVACY POLICY

GDPR and Third Party Vendors: Ensuring Compliance Across your Supply Chain

Published by Sabrina Pagnotta on August 31, 2021
Categories
  • Blog
Tags
  • Industry Regulation
gdpr UE

In 2018, the business world almost melt with the terrifying news of the enforcement of the General Data Protection Regulation (GDPR). Now, it’s a widely implemented and respected data privacy regulation for organizations within and outside of the European Union. With everything we’ve come to know, it’s worth analyzing the impact of GDPR on the use of trusted service providers in support of business operations. Here’s everything you need to know about GDPR and third party vendors.

Key Terms and Definitions of GDPR

Before we can discuss GDPR and third party vendors, it’s critical we understand the definitions of the Controller, Processor, and Personal Data (as found in Chapter 1 and Article 4) and the territorial scope (as found in Chapter 1 and Article 3) outlined by GDPR:

  • “Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
  • “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

As for the “Territorial Scope”:

  • GDPR applies to the processing of personal data in the context of the activities of an establishment of a Controller or a Processor in the European Union, regardless of whether the processing takes place in the Union or not.
  • GDPR applies to the processing of personal data of data subjects who are in the Union by a Controller or Processor not established in the Union, where the processing activities are related to:
    • the offering of goods or services, irrespective of whether a payment of the Data Subject is required, to such data subjects in the Union; or
    • the monitoring of their behavior as far as their behavior takes place within the Union.
  • GDPR applies to the processing of personal data by a Controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

What to do if you are subject to GDPR

Effectively, GDPR might apply to your company if data belonging to an EU resident is accessed or processed (by your company or your company’s trusted third parties) while the individual is a resident of the EU. This isn’t the end of the known world but can create complications in managing your company’s data if the data warehouses are not already highly organized and segmented.

The first major obstacle is identifying whether, or not, GDPR will apply to your organization. If you’ve made it this far in to this article then let’s assume you’ve validated GDPR’s applicability to your company. If your company uses a trusted third party vendor to process or store your company’s data then your third parties could be considered as “Processors” according to GDPR’s definitions (above), thus, also making your third parties susceptible to GDPR’s oversight.

Next, the specific data elements protected by GDPR need to be identified and their location(s) properly documented. Proper data mapping helps to identify which data elements need to be isolated from others in instances where various aspects of GDPR (such as a Data Subject’s rights to be forgotten or rights to object to processing) are necessary, to ensure timely compliance to these requirements is enforced. Once appropriate data elements are identified (and properly mapped) the actual maintenance and management of the database becomes significantly less complex and easier to work with.

Other impacts to the compliance of GDPR requirements still apply, such as the appointment of an appropriate Data Protection Officer (DPO) who will be required to report to the appropriate Supervisory Authority designated by each Member State of the EU. Another important piece of information to be aware of is the ability for a company to leverage a trusted third party as the appointed DPO.

When all things are in order, one of the most important pieces of this vast puzzle remains the organization, identification, and ease-of-management of databases where GDPR requirements are applicable. There’s multiple technical tools available to assist in these efforts, if your company maintains their own on-site and internally hosted database. There are also multiple tools available to help companies without these capabilities offering various type of cloud-hosted solutions (SaaS) to properly organize, manage, and report GDPR compliance.

GDPR and the Integration of Third Party Vendors: Talking about Compliance

If your company is subject to the oversight required by GDPR, it may be a good idea to let your trusted third parties know if they’re also potentially going to become subject to these requirements. This will help ensure their own compliance is in order and that they are accepting any additional responsibilities.

For new third party vendors onboarded in your organization, you could simply add GDPR-related requirements to your risk assessment and monitoring workflow.

Learn More: How to Customize Requirements in Your Vendor Risk Assessments

In consideration of protecting your existing relationships, notice to your current third parties may be necessary if you change your requirements associated with providing goods and/or services to your company. Please seek your company’s appropriate legal guidance and counsel for formal advice and direction.

3 Reasons Why You Should Consider GDPR Compliance

Even if GDPR compliance may not be a priority for smaller data collectors or companies based outside of the EU, it’s still worthwhile to consider for the following reasons:

  1. GDPR compliance is not as costly as it seems. The cost of complying will depend on how you’re impacted by the regulation. For some organizations it could just be a matter of adding a few new disclosures to their website, and for others, there will be a need to hire a DPO, or to implement new processes and technologies.
  2. GDPR compliance has a positive impact on customers that trust you with their data. Large, multi-national corporations may have the most at stake, but working towards GDPR compliance will make data safer in any case. Showing you take security seriously always results in more business and cutting losses related to a cybersecurity incident.
  3. GDPR compliance puts you ahead of the pack. Regulations promote a sense of responsibility and create a safer environment that is often replicated. If a similar standard were to be passed in your country or state, you would be one step ahead if you already have the experience of complying with GDPR.
buyers guide to third party risk management

Not sure where to start with TPRM?

Deciding if you need a third-party risk management tool and choosing the right one can be challenging. This buyer’s guide will put you on a path to auditable risk management and accelerate your journey to TPRM maturity.

You will learn how to boost efficiency, transparency, and control over your risk management indicators.

Get the Guide
Sabrina Pagnotta
Sabrina Pagnotta
Sr. Content Strategist
  • Phone
    |+1-617-245-0469
  • Address
    |
    111 Huntington Ave, Suite 2010, Boston, MA 02199
  • Sales
    |sales@bitsighttech.com
  • Contact Us
Laika_SOC2_TypeI_PurpleIris        CSA_Trusted_Cloud_Provider

©2023 ThirdPartyTrust, LLC and its Affiliates. All Rights Reserved. | 111 Huntington Ave. Suite 2010 Boston, MA 02199
  • PARTNERS LOGIN
  • CONTACT US
  • PRIVACY POLICY
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Do not sell my personal information.
Reject AllAccept
Cookie Settings
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT