You’d be forgiven for thinking that GDPR is challenging for you as a small business owner. Not only do you have to ensure that you’re GDPR compliant as a business yourself, you also have to ensure that all your third party service providers who process personal data for you (“processors”) are GDPR compliant too.
GDPR protects personal data. That means that if you are controlling clients’ or customers’ (data subjects) personal data using a third party service provider (such as a CRM or email marketing software), you must document and prove that particular processor is GDPR compliant too.
But how can I ensure my processors are GDPR compliant?
Here are my five simple steps to making sure your processors are GDPR compliant:
1. Make a list of all your processors. Providers like email marketing software, accounts software, cloud storage, CRM etc – anyone who processes personal data under your instructions.
2. Carry out research on all of your processors to see what they are saying about complying with GDPR. We have a spreadsheet on the status of many of the commonly used processors in my GDPR Facebook group [insert link to facebook group]
3. Make sure that you have a written Processor Agreement with all of your processors that contains all of the required provisions as set out in GDPR. If you are using a big processor eg Mailchimp, they will have their own Processor Agreement (or may incorporate the required processor terms into their terms of business). If your processor is smaller (such as a virtual assistant), then send them your own Processor Agreement (note that the obligation is on you as the data controller to ensure that a Processor Agreement is in place).
4. Work out whether each of your processors is based outside of the EEA or is transferring data outside of the EEA.
Next to each processor, mark where they are located – are they in the EEA, or are they outside of the EEA (European Economic Area)? Also check to see where they store or transfer their data (is it outside of the EEA?).
- EU countries are: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the UK.
- EEA countries are all EU countries, plus Iceland, Liechtenstein and Norway.
5. If your processor is located outside of the EEA or if they transfer the personal data outside of the EEA, ensure you have the necessary safeguards in place for the transfer of that data.
Firstly, check if such countries are included in the list of countries which have been deemed to have a ‘positive finding of adequacy’ of data protection by the European Commission.
- These countries are Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay.
The European Commission assesses these countries to decide if they are adequately protected and if they agree they are, then they are happy for data to flow between our two countries without any further steps on your behalf.
If your processor is based in the US, or if it transfers personal data there, then you need to check if they are registered on the EU/US Privacy Shield List.
The European Commission says “This framework protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States for commercial purposes. The framework also brings legal clarity for businesses relying on transatlantic data transfers.”
If you go to the Privacy Shield Database you can search for each company on your list to see if it is registered.
But what if your processor is not in the EEA, not in a country with an adequacy finding and, if based in the US, NOT on the Privacy Shield Framework?
Thankfully, there are other ways of transferring data lawfully if you find that your processors aren’t in the EEA, aren’t in a country with an adequacy finding or aren’t part of the EU/US Privacy Shield.
The main existing way to safeguard personal data when it’s being transferred internationally and none of the above safeguards apply, is to enter into standard contractual clauses that have been pre-approved by the European Commission.
GDPR also provides for codes of conduct and certification but these are not established safeguards as yet.
What if your processor won’t enter into the standard contractual clauses (and a code of conduct or certification does not apply)?
Well in that case, you need to get explicit consent from each and every data subject to the transfer of their data outside of the EEA. The place to do this is via your new Privacy Notice and also a tick box (not pre-ticked) at the point of collection of the personal data (or if you are requesting the consent to transfer outside of the EEA after collecting the data, by a standalone request and tick box consent).
Aside from helping you with the steps to take as set out in this article, if you need to obtain a GDPR compliant Processor Agreement (that includes the EU standard contractual clauses for data transfers outside of the EEA) and a GDPR compliant Privacy Notice, then you may be interested in my GDPR Pack (which is currently priced at £147 and contains 20 legal documents and checklists to help you comply with GDPR). The price will be rising to £197 on 25 April 2018 (with one month to go until GDPR comes into effect).
As part of GDPR, we all need to be more vigilant about what personal data we are transferring outside of the EEA and put in place safeguards to protect people’s personal data.
By following my simple steps above (and by having the appropriate documents in place), you can take comfort that your third-party service provider processors are GDPR compliant.
If you’re feeling swamped by GDPR advice and don’t know how to discern the facts from the fiction, come over to my free GDPR For Online Entrepreneurs Facebook group where you can ask questions, watch my daily videos answering common questions and concerns and get real, factual guidance from a real expert.
Suzanne Dibble is a multi-award winning business lawyer who consults with multi-nationals on data protection law and the upcoming GDPR. The Legal Services Board and the Law Society have heralded her innovative approach to helping small business owners with complex regulations. Suzanne worked with Richard Branson at Virgin where she managed a group wide data protection project which resulted in Virgin nominating Suzanne for the Solicitor of the Year Award and subsequently Suzanne was runner up in this prestigious award. Suzanne has had second to none training and experience at a top City law firm, leading billion pound deals and being on the board of £100m+ business (resulting in her being listed in the Who’s Who of Britain’s Business Elite two years in a row). Suzanne is one of the few lawyers that really understands the online world and the small business world and puts law and regulation in the context of your business. There has been a lot of scaremongering and hype about GDPR (with the headline fines of 20m) and Suzanne brings a practical, balanced approach.