Tag Archives for " data processors "

Global companies lacking GDPR oversight of sub-contractors

The majority of global companies admit that they do not have appropriate oversight of third parties and sub-contractors despite the imminent implementation of new data protection regulations.

A new survey by consulting firm Deloitte revealed that 57% of global organisations admitted they did not have appropriate visibility of subcontractors engaged by their third parties, a further 21% are unsure of oversight practices, and just 2% routinely review the risk subcontractors pose to their organisation.

Source: Global companies lacking GDPR oversight of sub-contractors

Vetting and contracting with processors under GDPR

Although the GDPR accommodates modern business practices of outsourcing data storage and analytics, as well as marketing communication and other functions, it requires that data controllers choose their data processors carefully and bind them with required contractual terms to GDPR’s risk-based standards.

The GDPR did not invent vendor management responsibilities. Organizations have long had procurement programs scrutinizing vendor selection on a variety of bases, from financial solvency, to service-level commitments, and beyond. Health-related privacy laws in the U.S., for instance, require business associate agreements for sending personal health information to third parties. And for information privacy and security personnel, the infamous Target data breach underscored the risk of giving third parties access credentials to secure systems housing personal data, raising risk awareness to the highest levels of management.

Source: Top 10 Operational Responses to the GDPR – Part 9: Vetting and contracting with processors

US Data Processors and GDPR Impact

On May 25, 2018 the EU will have the right to fine and regulate foreign “processors” of EU subject data, including hundreds of U.S. companies. This article will address ways to protect your organization financially and remain compliant.

Get ready: The EU’s General Data Protection Regulation (GDPR) is set to take effect in under four months (May 25, 2018 to be exact). Under the new law, the EU can directly fine and regulate foreign “processors” of EU subject data. Making matters more complicated, the GDPR’s definition of “processor” is very broad and includes most U.S. companies that receive data, from any source, that personally identifies European Union subjects.

Source: US Data Processors and GDPR Impact

Third-party risk under the GDPR

According to recent research by RSA, failure to protect customer data is creating long-term business problems for organizations. That was evident at a packed event in London on Feb. 5, where discussion centered around the fear of being unable to manage the fallout of a data breach involving a third party.

With 69 percent of the 7,500 consumers surveyed from France, Germany, Italy, U.K. and the U.S. saying they have or would “boycott a company that showed a lack of regard for protecting customer data” the concerns are real. Furthermore, 62 percent of consumers would feel inclined to blame the company above anyone else, even the hacker — and certainly not a third contractor — if they lost their personal data.

Source: Three’s a crowd — third-party risk under the GDPR

Processor compliance with the GDPR

The General Data Protection Regulation expands the scope of enforcement to include a number of companies that are not based in the EU, but regularly do business with EU data subjects. The GDPR’s expanded scope not only affects those businesses, but also the businesses that provide processing services to them.

Source: Processor compliance with the GDPR: A 101

CNIL publishes guidance for data processors

On 29 September 2017, the French Data Protection Authority (the CNIL) released a guide for data processors on implementing the obligations laid down in the GDPR. Unlike the draft guidance recently published by the UK Data Protection Authority (the ICO), ‘Contracts and liabilities between controllers and processors‘, the CNIL’s guidance focuses just on processor obligations and is structured around FAQs.

Source: CNIL publishes guidance for data processors

Businesses will be considered ‘aware’ of data breaches under GDPR when their data processors notice the breach

Businesses that outsource the processing of personal data to other companies will be said to be aware of data breaches experienced by those processors as soon as the processors themselves recognise the breach, according to proposed new guidance.

Source: GDPR: Businesses will be considered ‘aware’ of data breaches when their data processors notice the breach, says watchdog

What’s wrong with the ICO’s draft guidance on controller-processor contracts?

Controller-processor contracts and liabilities don’t seem destined for any guidance from the Article 29 Working Party, at least according to the WP29’s published work programs/roadmaps to date. However, some national regulators have picked up the baton. On September 13, the U.K. Information Commissioner’s Office issued draft guidance, Contracts and liabilities between controllers and processors.

Source: What’s wrong with the ICO’s draft guidance on controller-processor contracts?

When is a vendor a processor?

Privacy professionals have been involving themselves in their organizations’ vendor management programs for a few years now. Indeed, according to the 2016 IAPP-EY Privacy Governance Survey, 70 percent of respondents (up from 63 percent in 2015) were involved in a formal vendor management program — and the numbers are just as strong in this year’s upcoming report.

Source: When is a vendor a processor?

ICO GDPR guidance on Contracts and liabilities between controllers and processors

On 1 August we reported on the launch of the International Regulatory Strategy Group’s “Article 28 GDPR ready contractual terms” for use between controllers and processors. The ICO has now launched its draft guidance on this subject.

Source: UK: ICO GDPR guidance – Contracts and liabilities between controllers and processors

>