Tag Archives for " data processors "

E-signatures can prove conclusion of data processing agreements

The use of electronic signatures (e-signatures) can prove that data processing contracts have been concluded and their terms agreed to, the EU’s justice commissioner has said. Věra Jourová said that it is possible for data processing contracts to be entered into digitally, but that it is not necessary for those agreements to be signed electronically for them to have effect.

Source: E-signatures can prove conclusion of data processing agreements

Should vendors be able to pass along costs of GDPR compliance?

What wasn’t obvious when EU General General Data Protection Regulation came into force, was that vendors would swiftly pass along their own GDPR-related compliance costs to existing customers. But it seems to be a trend privacy pros are increasingly seeing.

Read article: Should vendors be able to pass along costs of GDPR compliance?

Managing commercial risk within the supply chain post

In the pre-GDPR days, it was fairly clear where risk and liability lay with regards to data protection issues within the supply chain, where typically one party was the data controller (usually the customer) and the other was the data processor (usually the supplier). Enforcement action could be taken against the data controller, even where the data processor caused the breach. Only data controllers could be held accountable to data subjects for compensation.

However, post-GDPR, data processors can now be held directly accountable for certain aspects of the processing of personal data both to the DPA’s and the data subject. This has led to a shift in approach and expectation on how risks are managed and allocated within the supply chain.

Read full article: Managing commercial risk within the supply chain post

Majority of companies fear 3rd-party vendors make them vulnerable to GDPR legal risks

Only 32 percent of companies say they are fully GDPR-compliant, according to the Demandbase/Demand Metric report. The report does show that marketers are aware of the importance of data security, with nearly 75 percent saying they will invest in technology to improve their approach to data privacy. But they may need training first, with 57 percent saying their top GDPR challenge is understanding the law, and only 37 percent saying they are facing technological barriers.

Source: Report: Majority of companies fear 3rd-party vendors make them vulnerable to GDPR legal risks – MarTech Today

Global companies lacking GDPR oversight of sub-contractors

The majority of global companies admit that they do not have appropriate oversight of third parties and sub-contractors despite the imminent implementation of new data protection regulations.

A new survey by consulting firm Deloitte revealed that 57% of global organisations admitted they did not have appropriate visibility of subcontractors engaged by their third parties, a further 21% are unsure of oversight practices, and just 2% routinely review the risk subcontractors pose to their organisation.

Source: Global companies lacking GDPR oversight of sub-contractors

Vetting and contracting with processors under GDPR

Although the GDPR accommodates modern business practices of outsourcing data storage and analytics, as well as marketing communication and other functions, it requires that data controllers choose their data processors carefully and bind them with required contractual terms to GDPR’s risk-based standards.

The GDPR did not invent vendor management responsibilities. Organizations have long had procurement programs scrutinizing vendor selection on a variety of bases, from financial solvency, to service-level commitments, and beyond. Health-related privacy laws in the U.S., for instance, require business associate agreements for sending personal health information to third parties. And for information privacy and security personnel, the infamous Target data breach underscored the risk of giving third parties access credentials to secure systems housing personal data, raising risk awareness to the highest levels of management.

Source: Top 10 Operational Responses to the GDPR – Part 9: Vetting and contracting with processors

US Data Processors and GDPR Impact

On May 25, 2018 the EU will have the right to fine and regulate foreign “processors” of EU subject data, including hundreds of U.S. companies. This article will address ways to protect your organization financially and remain compliant.

Get ready: The EU’s General Data Protection Regulation (GDPR) is set to take effect in under four months (May 25, 2018 to be exact). Under the new law, the EU can directly fine and regulate foreign “processors” of EU subject data. Making matters more complicated, the GDPR’s definition of “processor” is very broad and includes most U.S. companies that receive data, from any source, that personally identifies European Union subjects.

Source: US Data Processors and GDPR Impact

Third-party risk under the GDPR

According to recent research by RSA, failure to protect customer data is creating long-term business problems for organizations. That was evident at a packed event in London on Feb. 5, where discussion centered around the fear of being unable to manage the fallout of a data breach involving a third party.

With 69 percent of the 7,500 consumers surveyed from France, Germany, Italy, U.K. and the U.S. saying they have or would “boycott a company that showed a lack of regard for protecting customer data” the concerns are real. Furthermore, 62 percent of consumers would feel inclined to blame the company above anyone else, even the hacker — and certainly not a third contractor — if they lost their personal data.

Source: Three’s a crowd — third-party risk under the GDPR

Processor compliance with the GDPR

The General Data Protection Regulation expands the scope of enforcement to include a number of companies that are not based in the EU, but regularly do business with EU data subjects. The GDPR’s expanded scope not only affects those businesses, but also the businesses that provide processing services to them.

Source: Processor compliance with the GDPR: A 101

CNIL publishes guidance for data processors

On 29 September 2017, the French Data Protection Authority (the CNIL) released a guide for data processors on implementing the obligations laid down in the GDPR. Unlike the draft guidance recently published by the UK Data Protection Authority (the ICO), ‘Contracts and liabilities between controllers and processors‘, the CNIL’s guidance focuses just on processor obligations and is structured around FAQs.

Source: CNIL publishes guidance for data processors