The General Data Protection Regulation (GDPR) became enforceable on May 28, 2018, in the European Union (EU). Now, almost a year and a half later, things seem to be getting a bit more real as companies like British Airways and Marriott International are being hit with substantial fines and the Information Commissioner’s Office (ICO) gains more teeth in enforcing the rule.
But you aren’t worried. You’ve done all the difficult work to abide by GDPR in your shop, so you’re done, right? Maybe. Maybe not. You also need to check that all your partners are GDPR-compliant. And if they aren’t EU or globally focused, that could be a gap.
GDPR’s Article 28 states: “[Data controllers] shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”
Which means YOU are on the hook for the actions of the partners you’re working with. In other words, if your partners that process personal data on behalf of your company aren’t GDPR-compliant, then neither are you.
How do you ensure GDPR compliance from partners? Here are some steps to take:
Request your partner disclose what customer data it handles and stores, so you can include that disclosure in your privacy policy.
Discuss your partner’s security and encryption strategies. If your partner is processing your customer data, it needs to have bank-grade security standards.
Make sure you understand where your customer data is stored geographically. Some countries require that customer data for their citizens remain within their borders.
Establish your partner is able to honor your customers’ right to be forgotten. That should be a simple process for both of you.
Have a plan for notifying customers in case your partner is breached and their data is exposed. Also, check that your partner has someone in the role of data privacy officer, such as a chief information security officer. That will reduce the odds that you’ll have a problem.
Payments and related data are special due to additional regulations requiring how that payments data can be stored and handled. Ensure you’re working with payments specialists who understand the intricacies of payment regulations and store the correct amount of data required if a customer requests to be forgotten. A customer’s right to be forgotten doesn’t cancel their right to a refund. Tricky indeed.
One of the challenges with rules around privacy data is that the rules are similar to payments data, but different. Regardless, you can still use some of the same great solutions like tokenization. Tokenizing personally identifiable information means that you can refer to data that you don’t have to spell out. Which helps more systems stay out of scope and in compliance.
It is imperative that you understand what measures your partners are taking to keep your customer data safe and secure. If your partner gets breached, you can still be held responsible for the leak. So be prepared to evaluate encryption methods, authentication processes, and how keys are created, managed, and stored. Sometimes using a hardware security module (HSM) may make sense, even “just” to secure email addresses. An HSM is a network computer that performs cryptographic functions, like encryption.
It’s not worth the reputational or monetary sting to be found noncompliant with GDPR—or worse yet, experience a breach. Insist on working with a GDPR-compliant partner who will work with you to help you honor your customers’ right to the privacy, safety, and security of their data.
—Bruce Parker is founder and chief executive of Dallas-based Modo.