As the EU General Data Protection Regulation (GDPR) was written into law on May 25, 2018, many organizations such as Amazon, Facebook, Google, and Microsoft were quick to provide updated privacy policies, SCC contracts and data processing addendums to customers and users in the U.S. and abroad in an effort to conform.
Large organizations on the whole were aware and enacted plans to conform to the GDPR long before the May 25, 2018 deadline, but some smaller entities may have and still maybe been left with questions regarding how to properly put in place measures to comply to the new data privacy requirements.
The focal point of this article concerns the smaller organisation entity of Independent video game developers, sometimes referred to as indie game developers, who will almost always collect and process data from users to improve their games, add/remove features, or release new game enhancements.Therefore we will first cover some features of the GDPR that are relevant to indie game developers.
GDPR Key Features:
The GDPR sets out seven key principles that should be at the heart of every organisation’s data privacy strategy.
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
What is the reach of the GDPR who is affected
The current Article 3 states that the GDPR applies:
- “to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, whether or not the processing takes place in the Union;
- to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union where the processing relates to the offering of goods or services (whether free or paid for) or the monitoring of behaviour which takes place within the EU; and
- to the processing of any personal data by a controller outside the EU but in a jurisdiction where Member State law applies by virtue of international law (e.g. a diplomatic mission or consular post).”
Business Issues faced by Indie Game Developers
A video game developer and/or designer, such as an indie game developer, may struggle with compliance of the GDPR as it attempts to collect data from players interacting with its game in an effort to improve or add new features to said game. Having a GDPR strategy at the beginning of the development lifecycle can mitigate the risk of post development Data Privacy remediation work, and in doing so a proactive organisation can move ahead of the competition whilst at the same time enhance their brand.
As such, the developer may be wary or unsure of how to collect such data while still conforming to the GDPR. There are a number of examples where the indie game developer may legitimately collect store and process data such as:
- To fulfil a contract of membership to the game or game developer
- Payment data for the purchase of in-game store items
- Anti game hacking and rule breaking
- Anti-fraud measures to protect fraudulent payments.
- Measure game utilisations
- Forums, In-game chat
To name a few
Indie game developers and developers in general should take heed of the guidance provided by the European Commission by adopting privacy by design
What is data protection by design?
Data protection by design is ultimately an approach that ensures you consider privacy and data protection issues at the design phase of any system, service, product or process and then throughout the lifecycle. DPIA ( Data Protection Impact Assessments ) are the best tool to use.
As expressed by the GDPR, it requires you to:
- put in place appropriate technical and organisational measures designed to implement the data protection principles; and
- integrate safeguards into your processing so that you meet the GDPR requirements and protect the individual rights.
In essence this means you have to integrate or ‘cement in’ data protection into your processing activities and business practices.
Data protection by design has broad application. Examples include:
- developing new IT systems, services, products and processes that involve processing personal data;
- developing organisational policies, processes, business practices and/or strategies that have privacy implications;
- physical design;
- embarking on data sharing initiatives; or
- using personal data for new purposes.
Map out the objectives of the Game
Put another way, will the video game be offered via a digital publisher like Valve’s Steam platform to an international or worldwide audience?
The developer should ensure that it has identified the legal basis for processing the players data as covered by Article 6
Article 6. Lawfulness of processing
- Processing shall be lawful only if and to the extent that at least one of the following applies:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Regardless of which avenue developers decide to utilize when collecting in-game data, indie game developers in particular, should attempt to adhere to the GDPR by at least documenting the data it processes that it subject to the GDPR in accordance with Article 30 of the GDPR, providing
Each controller and, where applicable, the controller‘s representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:
- the name and contact details of the controller and, where applicable, the joint controller, the controller‘s representative and the data protection officer;
- the purposes of the processing;
- a description of the categories of data subjects and of the categories of personal data;
- the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
- where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
- where possible, the envisaged time limits for erasure of the different categories of data;
- where possible, a general description of the technical and organisational security measures referred to in Article 32(1).
GDPR is here to stay and therefore should be seen as powerful tool to protect the data subjects , players and developer staff alike, but also be seen as a powerful way to gather data and use that data for the good of all those associated with the game.
Relentless Data Privacy and Compliance have implemented GDPR frameworks for some of the largest gaming developers on the planet. Whether your a small indie developer of a large publisher we are here to help.
Launching on 29th April the Relentless GDPR 24/7 platform will enable organisations to deliver their GDPR compliance strategy from a single portal available 24/7/365. For a FREE 14 day trial register below.
The hotel industry is considered to be one of the most targeted industries for data threats, as a result of hotels processing , and in almost all cases store long term, a very high volume of guests’ personal information and payment card transactions daily.
And there are numerous examples to back up this statement! Hotel groups and single venue hotels have reported more than twelve data breaches and data security attacks since 2010, including leading brands such as Hyatt, Hilton, Kimpton, Omni etc.
Such high volumes of personal data attract the attention of highly skilled hackers and criminal organisations as data is the new gold for such organisations.
The GDPR was created to bring as much uniformity into data protection as possible, giving control back to citizens and residents over their personal data and to simplify the regulatory environment for international business with a regulation that is far better suited to the challenges today’s digital world poses.
And before you say “EU?”, GDPR will also apply to non-EU countries. Despite the fact that this is an EU regulation, GDPR will apply to any organization that is processing or holding EU personal data, regardless of the location in which they are situated.
How will hotels be impacted?
There are a number of requirements that hotels will need to provide and prove when it comes to the use of personal data such as:
- A hotel must provide very detailed information on why it needs to process personal data, and how long it plans to keep it. This procedure involves organized retention policies so that a hotel always knows the status of such information.
- A hotel must keep technical and organizational records to prove it is protecting data.
- A hotel must outline its guidelines for collecting and managing PII.
- When it comes to digital marketing and collating of personal information, Hotels need a section on their website that permits “opting in,” thus allowing hotels to store PII data. Hotels also must be able to prove that their audience has given consent for their data to be used for marketing purposes, must also specify which data they wish to be used, and explain the process, enabling guests to access, modify and delete information. If a list of potential customers has been purchased, the hotelier must also receive documentation that proves that consent has been given for the data to be used.
What are the Main Requirements For Compliance with GDPR
In order for hotels to comply effectively with the GDPR they need to ensure they review their connections to data processors, their own security policies, and if they have the necessary qualified staff on hand to negotiate the new laws. This includes all departments including CCTV.
- Data Mapping: Hotels receive personal data details through multiple channels and touchpoints including email, fax, phone, website, forms, etc., and this data is often stored on multiple platforms across several departments, so one of the first issues a hotel needs to tackle is to complete a full data map to become aware of what data is captured, where this information is stored, who manages the data, how it is used, including where it ends up, before beginning the process of how to protect and monitor it moving forward.
- Data Security Assessment: Once data mapping is completed hotels need to decide how information will be stored and handled, and then tested and documented on how to secure the data is and identify any weaknesses. Hardware and software applications should also be reviewed along with hard copy files. If the information is stored electronically, a series of encryption codes, passwords or limitations on access may need to be implemented to protect access to, and the integrity of the data.
- Implementation of new GDPR policies: One of the key principles of GDPR is not to retain personal data for longer than necessary. Although onerous, your current data records will need to be cleaned up – deleting what is not required and validating the data that is required.
- Ongoing compliance and monitoring: Maintaining GDPR will be an ongoing process. To ensure you continue to comply and reduce the risk of data breaches, hoteliers should:
- Invest in training of all relevant staff members to ensure they have a thorough understanding of the new procedures and the implications of the regulation.
- Provide regular refresher training for all staff to ensure an awareness culture exists and protect against possible breaches.
- Ensure employees know the processes in the event of a breach and to report any mistakes immediately to the DPO or the person or team responsible for data protection compliance.
Hotels, both large and small, often make mistakes when it comes to personal data but under the new GDPR, the penalties for doing so will now be far higher. A misuse or breach of personal data will carry the risk of administrative fines of up to 4% of total annual worldwide turnover (which is huge), not only that but you also run the risk of tarnishing your reputation and end up paying out for damage claims.
No matter what you decide to do to achieve GDPR compliance if you haven’t already started, it is vital that you begin preparing for GDPR now. Becoming GDPR compliant will not only take longer than you realize, but failure to comply and update your data protection processes to safeguard guest data means you run the risk of severe financial penalties.
Good News is on the way Launching on 29th April 2019 the Relentless GDPR 24/7 platform goes live. All the above GDPR requirements can be implemented and maintained in one place.
Register for your FREE 14 DAY TRIAL today
Relentless GDPR 24/7 is the new Platform for all your GDPR Compliance Activities.
Can you believe it’s been almost a full year since the General Data Protection Regulation (GDPR) arrived on the scene?
It seems like only yesterday that businesses across the European Union (EU) were working overtime in a frantic scramble for compliance with the biggest change to data protection laws in decades. Yet here we are, almost 12 whole months down the line and, for some businesses, little has changed.
If your organisation is one of them, the good news is on the way.
The new GDPR 24/7/365 platform from Relentless Privacy & Compliance is on hand to help you achieve frictionless compliance with GDPR with ease.
Available anywhere, at any time and on any Internet-connected device, this secure, cloud-based platform serves as your one-stop-shop for all the documents, templates, systems and strategies you need to simplify and streamline your entire GDPR compliance process.
Why GDPR compliance matters now more than ever
Despite GDPR officially coming into play on May 25th, 2018, the organisations tasked with enforcing it throughout the EU -such as the UK’s Information Commissioner’s Office (ICO)- spent most of 2018 taking a fairly lenient approach to enforcement.
Though organisations could have been fined €20 million or 4 per cent of their annual turnover for non-compliance, we didn’t really see that kind of game-changing punishments handed out last year. Instead, those who did fall foul of GDPR were hit with fines which amounted to little more than a proverbial slap on the wrist.
Yet if leading data protection experts, that may have been a subtle way for the ICO and their European counterparts to offer a certain ‘grace period’ to EU organisations, effectively giving them the warning to get their act together.
However, as GDPR approaches its one year anniversary, that grace period has come to an end and those same experts are referring to 2019 as “The Year of Enforcement.” In other words, we should well expect the gloves to come off and non-compliant businesses held accountable to the full extent of GDPR.
Not that this has to be such a terrifying prospect for any organisation.
Whether you’re a small startup or a rapidly expanding enterprise, the GDPR 24/7 portal contains everything you need to help avoid those huge fines and effortlessly manage your GDPR compliance
24 hours a day, 365 days a year, you’ll have access to:
- Customisable DSAR forms branded with your company details, making it easy to accept, organise and process Data Subject Access Requests
- A simple, secure online case management system so that you can record all of your DSAR responses in one convenient location
- Data mapping and visualisation tools so that you can audit, manage and streamline your entire compliance process
- The latest expert advice and guidance on all aspects of privacy and data protect
- A bespoke GDPR compliance toolkit tailored to the exact, unique needs of your organisation
- State-of-the-art automation to ensure your records of processing activities, privacy notices and other documents are always on hand and up-to-date.
- Online DPIA process tool to manage those high risk projects.
- Online Data Breach management process
- Controller / processor contract generator
Plus much more.
The new GDPR 24/7/365 platform from Relentless Privacy & Compliance is set to launch in late April 2018. For a free demonstration or to register your interest, call Relentless on +44 (0) 121 262 4024 or contact us online today:
Priced on average 40% lower than the main competition.
Relentless GDPR 24/7 comes with a free 14 day trial. Please register below.
On 25 May 2018, the EU’s General Data Protection Regulation (“GDPR”) came into effect across the 28 member states of the EU. The GDPR has had a significant impact on those who collect, use, share and otherwise process “personal data.”
How is personal data used in the transport sector?
Predominantly, “personal data” means any information which relates to an identified or identifiable individual, generally a passenger in this situation. It will include, for example, the passenger’s name and contact details; it will also (occasionally) include information about travel routes, vehicle usage, the dates and times passengers enter or exit a transport operational network, and fares or toll information, passport or national ID.
The legislative upgrade brought in by the GDPR has affected businesses and organisations throughout the transport sector, from rail or bus operators, airlines, passenger transport authorities, manufacturers of connected and autonomous vehicles, in-vehicle or on-board platform developers, to smart ticketing
Understanding and using the information to an advantage transport data nestles at the heart of recent developments in technological advancements within the industry.
Business development of intelligent traffic and mobility platforms are gathering and sharing more personal data and the growth is exponential
For example, personal data can be used for:
- increasing the efficiency of passenger flows within airport terminals via smart ticketing data and mobile phone or tablet analytics;
- Developing city planning and operations, through tracking of smart passes or connected and self governing vehicles;
- generating revenue from data, by providing it to third parties such as station or airport retailers, advertisers, mobile network operators or automotive service and parts suppliers. Retailers within airports are using wifi analytics of mobile devices to push those last minute shopping offers directly to the passengers as they pass the shop.
It is essential though, that transport businesses and organisations understand and comply with the GDPR, not least because there will be increased penalties for non-compliance, including (in the worst cases)fines of up to €20 million or 4% of worldwide turnover. If we look at Dubai Duty Free (DDF) as an example it announced ‘record-breaking’ annual duty free sales of $1.93bn (€1.61bn) for 2017, so you can see how a fine in the worse case scenario would hit DDF to the tune of over $77M. If the maximum fine was applied.
Less of the bad news complying with the GDPR and being transparent about how it collects and shares data can also deliver significant business benefits. Passengers will be more willing to provide their data, and for different uses, if they trust organisations to handle it fairly, securely and responsibly.
Key areas of impact for the transport sector
Clients are already talking to us about impacts in the following areas:
- use of smart ticketing data e.g. on fares / tolls or on Mobility as a Service projects;
- use of vehicle tracking and/or road charging data;
- Insurance companies measuring a drivers ability.
- vehicle sharing / service models – addressing issues of different drivers and passengers using a vehicle;
- legally compliant methods for storing geolocation data or mobility patterns;
- ensuring data security within intelligent transport systems;
The impact areas highlighted above are just some of the considerations for transport businesses and organisations. Performing a GDPR full assessment transport businesses and organisations must:
- give careful consideration to what personal data they collect and how they use, share and otherwise process it;
- review their existing supplier and other agreements to ensure that they meet the more onerous requirements of the GDPR, and properly allocate risk between the parties;
- ensure that they implement the principle of privacy (or data protection) by design, which means that data protection should not be an afterthought or an issue casually considered at the end of a project or procurement of a new system; it must be central to the way that organisations plan and operate; and
- put in place those other policies, procedures and governance structures which will be needed – together with relevant training – to ensure on-going compliance.
If you would like to discuss the GDPR, or any of the issues raised by it, please contact one of our experts by calling
Data is the new gold of the online world its value increases daily but never reduces in price or fluctuates like the gold market. To the large tech companies like FaceBook, Google. Twitter, Instagram the consumer data is categorised as a product, and one that their profits are built on.
For online users and consumers, personal data acts as currency – sharing your data such as your email address affords you access to numerous services and content. For marketers, data is key to running successful campaigns; it helps marketing professionals recognise site visitors, target the right people with the right content and much more. And, crucially, it’s the marketing professionals responsibility to use and store the data they are given responsibly.
It’s not a mystery therefore that 73% of people agree that in the internet age, you have to provide personal information in order to buy things. – DMA
However, the legislation around data use has changed – introduced on 25th May 2018 the General Data Protection Regulation (GDPR) and was enforced across the twenty eight member states of the EU. But what did this actually mean? How has it impacted the way marketers and consumers alike – treat data? And what do organisations do to comply with the GDPR.
GDPR legislation around data privacy and protection was adopted in April 2016 – and was enforced into law on 25th May 2018, building on the 1995 data protection directive and modernising data regulation to reflect how businesses use and collect data today.
Answering Your GDPR Questions
What data has been affected by GDPR?
As defined by the EU, ‘personal data’ includes any information that can be used to directly or indirectly identify an individual (or ‘data subject’). This means that everything from an email address, to a name, IP address, photo and more are included.
What areas will GDPR legislation cover?
6 top-level areas that GDPR covers are:
- Right to access: Under GDPR, data controllers (companies that hold personal data) must be able to provide (for free) a copy of an individual’s data if requested. Individuals may find out what personal data of theirs is being processed, where and why.
- Right to erasure: The ‘right to be forgotten’ allows individuals to request that a data controller deletes their personal data; preventing them and related third parties from accessing or processing their information.
- Data portability: Under GDPR, individuals will be able to request access to their data ‘in an electronic format’, which they can transfer to another data controller (such as when switching service providers).
- Data breach notification: This means customers and data controllers must be notified of data breaches (leaks, hacks, or lost data – such as information on a lost USB stick) within 72 hours.
- Privacy by design: Data compliance and data protection must now be considered from the start when designing new systems. Organisational and technical processes must be considered to ensure personal data is secure and that only data that is ‘absolutely necessary for the completion of duties’ is held.
- Data protection officers: Public companies, or companies whose main activities involve data processing and monitoring will now need to appoint a data protection officer rather than notifying local Data Protection Authorities of their activities.
What impact has it had for non-EU marketers?
GDPR legislation became mandatory across the EU from 25th May 2018.
In fact, as GDPR has affected all companies that handle EU citizen’s data, regardless of where that company is, marketers worldwide need to comply to the GDPR if they manage any EU data.
What ways has this impacted B2B digital marketing/sales?
A few of the (many!) things that marketers should consider includes:
One of the most impacted areas to note is that ‘implied consent’ is no longer an option for B2C (personal) data.
There is an exception called the ‘soft opt-in’. This means that consent is not required if you are sending marketing message about similar products and services to your customers/clients or those you have negotiated with to provide products or services, as long as:
- You give them the opportunity to opt-out when you receive their contact information; and
- You give them the opportunity to opt-out when you send them subsequent messages.
This processing is not based on consent, but rather the legitimate interests processing condition and can only be relied upon by the organisation that collected the contact details, not third parties.
Under GDPR, consent must be explicit. Companies must be able to provide proof that an individual elected to opt-in to communications and didn’t just fall onto the list by default – such as checking an unchecked ‘opt-in’ box on a form. ‘Double opt-in’ would also be best practice; where opt-in is followed up with a ‘click to confirm’ email.
However, for corporate or business data, ‘implied consent’ means marketers are able to email someone, so long as that person had the option to opt-out of emails at the time of purchase (or conversion – such as for form completions).
Unless you’re confident your database does not contain any personal data e.g. email, phone number, our recommendation is that you remain as compliant as possible.
Marketing with ‘Legitimate interest’
So, opt-in is compulsory for B2C data. However, there are considered to be two perspectives on GDPR opt-in. The first is consent, where a business must gather opt-ins from every B2C contact (as above). This is considered best practice as it guarantees compliance.
The second perspective is legitimate interest, where, as quoted from the DMA, “If a business decides to use the legitimate interest precedent for their direct marketing, then it will be able to send email marketing on an unsubscribe/opt-out basis”. Note that this isn’t a route to ‘get around’ GDPR. All other aspects of GDPR must be met, and if challenged, proving ‘legitimate interest’ (read: relevant and appropriate) may be harder to do legally. A Legitimate Interest assessment needs to be completed and documented and stored for audit purposes.
As consent guidance under the GDPR becomes more strenuous, we predict that there will be a move towards legitimate interests as an alternative legal basis to process people’s data. This involves balancing legitimate business data use against an individual’s privacy to see which side is “heavier”…`the pursuit of this legitimate business interest is in the interests of the “wider community” as it allows it to receive less waste, more relevant marketing as well as free content. – Acxiom UK
Data capture fields and forms
With opt-in becoming a mandatory requirement, marketers must ensure any on-site forms (current and future) are made compliant. Compliance of course extends beyond the option to opt-in – forms must be deployed and hosted in a way that complies with GDPR.
Third party compliance
For many marketers, third party tools and marketing technology providers (i.e. marketing automation platforms, CRMs etc) form much of their data ecosystem. In this case, it’s important that marketers check that their marketing partners/ vendors are compliant and due diligence has been performed as part of the contracted services provided.
Ask suppliers to detail how they will store/process data to ensure GDPR compliance.
- Ensure there is a point of contact from each side, plus a process in place to manage any data breaches. Both sides must be able to respond quickly to manage, react and respond in compliance with ‘Data breach notification’ legislation.
- Make sure to only collect data that that is necessary, or falls under a ‘legitimate interest’.
- Be sure it’s possible to delete data should you stop using a service, and that you can download your own data when requested.
Considering events, opt-in consent requirements mean marketers will no longer be able to add event attendee lists to a campaign – you would need to show evidence for opt-in, such as an opt-in from your stand, or a follow-up email post-event.
Under the ‘right to be forgotten’, as everybody has the right to opt-out, this may affect the way you manage your CRM; for example you would no longer be able to mark someone as ‘do not contact’ – personal details would have to be deleted. It’s also worth checking tech stack integrations to ensure that when requested, data can be removed from all related databases and platforms.
In situations like new contact data record creation, or where contacts provided by a third party are being added or integrated into a database, opt-in compliance is again imperative. Managing and handling this across multiple areas (importing contacts from a spreadsheet, adding a contact from a business card, integrating Sales Navigator contacts with your CRM) may be the most complex part of compliance here.
What are the penalties for non-compliance?
The penalties for non-compliance with GDPR are set to be significant and could be up to €20 million, or 4% of an organisation’s annual turnover – whichever is greater.
Tips For Compliance for GDPR
With just under a year since the introduction of the GDPR, what must organisations (who process personal data) do to meet compliance.
- Raise internal awareness. Make sure that key stakeholders and decision makers in your organisation are aware of the implications of the GDPR.
- Audit and document your data. Know what personal data your organisation holds/processes, why,where and where it is processed identify where it came from and who you share it with.
- Account for individual’s rights. Make sure you have procedures in place that address all the rights that individuals have, from how you would delete personal data to providing data electronically if requested.
- Identify your legal basis for processing personal data. Review the types of data processing you conduct, identify your legal basis for doing so – and document it.
- Subject access requests. Update your procedures and identify how you will handle requests in future.
- Put contingency plans in place. You need to be prepared to detect, manage and report on and investigate any personal data breaches.
- Consider how you obtain consent. How do you currently obtain and record consent? Do you need to amend any processes?
- Consider age verification as well as consent. Systems must be established to verify individual’s ages and to gain parental/guardian consent for data processing where children are concerned.
- Assign a Data Protection Officer. Companies who process vast quantities of personal data, or process large scale ‘special categories’ of data (sensitive data, such as race or religion) must designate a DPO to take responsibilities for data protection compliance.
- Consider international implications. If you’re part of an international organisation, determine which data protection supervisory authority you fall under.
- Data Protection Impact Assessments. Make sure your organisation is familiar with ICO guidance on Privacy Impact Assessments and plan how to implement them.
Ultimately GDPR is About More Relevant Marketing and Greater Transparency
Our advice to Inbound marketing agencies, has always been to be as transparent as possible with consumer data to build more relevant, valued relationships with your customers and consumers.
Marketing shouldn’t be pushy or mysterious for consumers. If a consumer understands why they’re opting into your messaging – and can see the value they’ll gain, that’s a true, trustful relationship to have and should be the default.
GDPR should help to contribute to that; ensuring data protection, trust and proven value through best practice and transparency.
Relentless Data Privacy and Compliance help organisations plan and implement their marketing GDPR frameworks. Call us on 0121 262 4024 for more information.
If tasked with ensuring your organisation achieves compliance with the General Data Protection Regulation is not difficult enough, the task of putting in place a strategy by which you can manage the GDPR compliance of the people you outsource the processing of your customers personal data ( data processors) seem like the mountain stages of the tour de france. The monumental shift of accountability and responsibility now placed upon data controllers has changed the landscape of vendor relations for the good of both parties but more so for the controller.
Together with this shift in responsibility, companies will also need to establish more strenuous due diligence practices for managing their relationships with vendors who act as data processors.
As an example, a global tech company offering cloud SAAS services may act as a controller with regard to its own employees data and as a processor with regard to its customer data. Under the GDPR, the company would be accountable for the vendors used to manage its EU employee data (in that case, its processors) and the vendors used to manage its EU customer data (in that case, its sub-processors).
Don’t expect vendors to roll out the red carpet when it comes to due diligence be prepared for push-back when it comes to raising the privacy bar and and the tightening of what is expected and demanded of the vendor when they are entrusted with your customer data. .
Make no mistake the task of vendor management is not an easy road and can be resource sapping.
But the organisation’s obligation for compliance with GDPR could not be clearer — the penalties are steep and the collateral public relations and organisational brand damage can have an exponential effect on a company’s performance and balance sheet.
So what is the best and smartest approach to vendor management under GDPR? I hear you say.
Here we outline some best practices for conquering this challenge.
1: What are the legal requirements
Before sending your team into battle a team in an attempt to simplify and make a compliance process more efficient and less resource sapping, you absolutely must have a clear understanding of what the GDPR specifies as obligations to manage the complexity of processor relationships.
Be sure to examine:
- Article 28 (1)-(3): Processor Obligations
- Article 24(1): Controllers
- Article 29: Processing under the authority of the controller or processor, and
- Article 46(1): Transfer subject to appropriate safeguards.
After reading through the above it will become glaringly obvious that your organisation cannot just sign on the dotted line and pass the valuable assets ( your customers personal data) over to an outsourced partner for processing without conducting in depth due diligence. If in the worse case scenario if a data breach happening at your data processors organisation the spotlight will always start to shine upon how the data was assigned to the processor and under what conditions. Three vital pillars for Controller / processor arrangements are
1: Contract terms must be in place
2 Controllers must monitor the services provided by the processor during the arrangement.
3: At the end of the arrangement how the controller manages the return and destruction of the personal data the data processor is holding.
If there is a violation or data breach caused by a vendor, your organization will be liable.
The best practice of applying such a wide and inspiring approach to vendor management include:
Identifying the right people, formulating a process for effective communication with vendors, leveraging technology to manage the process, and retaining solid metrics for internal and external compliance purposes
A first step is to establish who within your organization should be engaged with vendor selection and management. Someone should be accountable within each business unit that utilizes vendors – this may be a senior manager,or director, of a particular operational business unit or product team. It helps to identify these privacy champions who are responsible for following company policy on vendor management and for promoting a culture of mindful sharing of data with vendors. While it’s great if you have a formal Vendor Management Department , the best strategy of forming a data privacy centre of excellence team formed of department stakeholders and technical security professionals.
Vendor management cannot be seen as a purely a rigorous selection process only reviewed at the contract renewal stage.
Any processing of personal data by a third-party vendor should be in scope for a GDPR-compliant vendor-management process, regardless of the cost of the service being offered and should be reviewed throughout the lifecycle of the contract.
Vendor Inventory :
Not having a vendor inventory and contract record keeping depository can be a recipe for disaster.
Many companies struggle with the design and maintenance of a complete inventory of vendors and vendor contracts. This is especially true where their are multi entity divisional silos across organizations where there is no central repository of vendor contracts, and local teams retain copies of vendor contracts locally unsure if they are up to date.
Ideally, you’ll want to have a centralized system which will not only track vendor contracts, but will also provide robust reporting to flag vendors who process personal data and could be underperforming,
With the right reporting platform in place, your organization will have superior visibility into your vendor management strategy and roadmap, and should have no problem tracking progress and measuring success or failure. This is key, because you will want to be able to create evidences which demonstrate compliance with GDPR.
Relentless Data Privacy and Compliance have a wide range of services covering all aspects of the GDPR journey.