Back to main menu

How to work with third party solution provider under GDPR?

What should I do if I use third party solutions to handle data under GDPR?
  1. Badge Check

    Make a list of all the third party cloud solutions you currently use.

  2. Badge Check

    Map out the path of your data during the lifecycle of the process to ensure adequate level of security at every step.

  3. Badge Check

    Assess the level of risk you could pose to individuals should your data be compromised.

  4. Badge Check

    Determine whether you need to appoint a Data Protection Officer.

  5. Badge Check

    Review all your contracts to understand where your data and applications are stored and whether your data is ever processed out of the EU.

  6. Badge Check

    Include strict confidentiality, data privacy and data residency clauses in your contract.

  7. Badge Check

    Ask your solution providers, especially those based outside of the EU, whether they are compliant with the GDPR regulation.

  8. Badge Check

    Start evaluating and planning the switch to GDPR compliant solution providers if your current solution providers do not have plans to be GDPR compliant by next May.

Can I work with third party solutions outside of the EU under GDPR?

Yes, as long as these third party solutions adhere to GDPR guidelines on data processing and storage. Personal data can only be transferred outside of the EU to countries that satisfy the adequacy requirement or if you can assure an adequate level of privacy protection through Binding Corporate Rules.

What are Binding Corporate Rules (BCRs)?

Binding Corporate Rules are the EU gold standard for data privacy. BCRs allow multinational companies to transfer personal data from the European Economic Area (EEA) to their affiliates located outside of it, which do not ensure an adequate level of protection. The BCRs must be in line with the requirements of the Article 29 Working Party (on BCR):

  • Badge Check

    Privacy principles (transparency, data quality, security…)

  • Badge Check

    Tools of effectiveness (audit, training, complaint handling system…)

To ensure approval for their BCRs, companies must choose a lead data protection authority to approve BCRs and coordinate securing approval from other relevant data protection authorities.

The 12 questions you should ask your third party solution providers for GDPR?
  1. Badge Check

    Where are your data and applications stored?

  2. Badge Check

    Is that data ever moved out of the EEA?

  3. Badge Check

    Do you ever transfer data between data centers outside of the EU?

  4. Badge Check

    Do you always inform me when my data is being transferred?

  5. Badge Check

    Do you have a Data Protection Officer?

  6. Badge Check

    What data controls and risk management processes do you have in place?

  7. Badge Check

    How do you manage the version release process on your platform to ensure adequate level of data protection?

  8. Badge Check

    Who can access my data, under what circumstances and what can they see? Is this access tracked?

  9. Badge Check

    Can I audit your security and technical measures on the protection of data?

  10. Badge Check

    Do you have in place a security breach notification process?

  11. Badge Check

    Do you currently adhere to Binding Corporate Rules?

  12. Badge Check

    Do you have measures in place to become GDPR compliant in time for May 2018?