[1]By Legal Futures’ Associate Exterro Inc [2]
Europe’s General Data Protection Regulation (GDPR) represents one of the most robust data privacy laws in the world. It gives European citizens the right to ask organisations how their personal data is collected, stored, how it’s being used, and request that personal data be safely deleted. It requires companies to clearly explain how personal data is stored and used, plus obtain your consent before collecting it.
The GDPR also introduced new terminology. A “Data Controller” is the entity (i.e. a company) that determines the purposes, conditions and means of the processing of personal data, whereas a “Data Processor” is an entity (i.e. a vendor) that processes personal data on behalf of the controller. Many of the ways that GDPR differs [3] from the previous directive ultimately require vendor risk management capabilities to be updated and enhanced. These changes include:
- The extension of legal obligations to service providers (data processors)
- A broader definition, or “higher classification,” of personal data (“sensitive data”) that must be protected
- New operational requirements for data processing
- Severe consequences for violations, including a maximum fine amounting to the greater of €20 million or 4 percent of global revenue
- A new set of requirements for third party data processors, as laid out in GDPR Article 28
In practice, companies should convey their policies and practices to their third-party vendors, while monitoring their compliance and ensuring complete protection across all channels of commerce, in order to ensure consistency and true protection for consumers. Non-compliance brings with it significant reputational and financial risk – as seen regularly with supervisory authorities imposing severe fines on companies falling short of the regulations.
Exterro recently discussed how organisations can manage third parties and vendors effectively and defensibly in order to mitigate risk. Watch the on-demand webinar by clicking here. [4]
You can watch the webinar replay, where leading industry experts Robert Grosvenor (Managing Director at Alvarez & Marsal), Tedrick Housh (Partner at Lathrop GPM LLP), Tash Whitaker (Global Data Compliance Director at Whitaker Solutions Ltd) and Stuart Davidson (European Marketing Director at Exterro) shared their knowledge and insight on managing third parties and vendors, by following the link below:
https://www.exterro.com/resources/data-privacy-you-are-only-as-strong-as-your-weakest-third-party/ [4]