Historically, organizations have sometimes been able to shift some liability for data breaches to their third-parties, if not all liability (this has been especially true for payment data breaches). 

Under GDPR, however, organizations are held responsible for all of their third-parties’ actions and can even be held responsible for fourth-parties’ actions if the organization doesn’t adhere to GDPR’s requirements. In this article, we’ll discuss what these requirements are and what your organization can do to comply with them.

EU-GDPR

This article is organized as follows (includes links to article destinations):

Definitions

Before we dive into the requirements, there are four terms that are vital to understand when dealing with GDPR and third/fourth-party risk management:

  1. Controller
  2. Processor (i.e., third-party)
  3. Sub-processor (i.e., fourth-party)
  4. Processing

1. Controller: When many people hear the word controller in a compliance situation, they are often thinking of someone who ensures their organization’s policies are properly implemented and followed. GDPR’s definition of a controller, however, is completely different. Under the Regulation, a controller is any entity (a person or organization) that decides how personal data is to be processed. 

2. Processor (i.e., third-party): A processor is any entity (a person or organization) that actually processes personal data under and per the controller’s instructions. Processors are not permitted to use the controller’s data in any way except as explicitly authorized by the controller.

3. Sub-processor (i.e., fourth-party): While not an official GDPR term, sub-processor is a term that’s widely used in practice. A sub-processor is an entity that performs processing activities on behalf of the processor.

4. Processing Processing is a pretty broad term, essentially meaning any interaction with data. The official definition is “any operation performed on personal data (whether automated or not) including adapting/altering, aligning, collecting, combining, consulting, destroying, erasing, making available (e.g., distributing through transmission or dissemination), organizing, recording, restricting, retrieving, storing, structuring and using.”

Classifications are Relative

GDPR is a complex piece of legislation, and how an organization is classified is entirely relative. These distinctions are important to know as you enter into contracts with different entities and consider your organization’s respective responsibilities. To illustrate this concept, let’s consider a fictional scenario from the perspective of each entity. 

In this scenario, ABC, Corp. has hired Data Processing, Corp. to process some personal data. Data Processing, Corp. has, in turn, hired a company named Analyze Your Data, Inc. to assist with processing personal data. Analyze Your Data, Inc. has also hired some companies so it can fulfill its contract with Data Processing, Corp.

Classifications from ABC, Corp.’s Perspective

From ABC, Corp’s perspective, the other entities have the following relationships with it:

  • Data Processing, Corp - Processor (i.e., third-parties)
  • Analyze Your Data, Inc - Sub-Processor (i.e., fourth-parties)
  • Other Companies - n/a (i.e., fifth-parties)

Classifications from Data Processing, Corp.’s Perspective

From Data Processing, Corp.’s perspective, the other entities have the following relationships with it:

  • ABC, Corp - Controller
  • Analyze Your Data, Inc - Processor (i.e., third-party)
  • Other Companies - Sub-processors (i.e., fourth-parties)

Classifications from Analyze Your Data, Inc.’s Perspective

  • ABC, Corp. - No relationship
  • Data Processing, Corp - Controller
  • Other Companies - Processors (i.e., third-parties)

Requirements

Now that we understand how organizations are classified and their relationships with one another, let’s now discuss each type of organization’s responsibilities under GDPR as well as the requirements for entering into data protection agreements and some of GDPR’s high-level requirements.

Controllers’ Requirements

Controllers are required to:

  • Ensure that their processors are able to comply with GDPR, including:
    • Only using processors who provide sufficient guarantees, especially in regards to the following, that the processor can implement appropriate mechanisms that enable compliance with GDPR:
      • Expert knowledge
      • Reliability
      • Resources
  • Approve in writing of each of a processor’s sub-processors
  • Enter into a contract with each processor, commonly referred to as a “Data Protection Agreement”

Processors’ Requirements

Processors are required to:

  • Process the controller’s data only as directed in writing by the controller
  • Have all sub-processors approved by the controller:
    • In writing
    • Prior to being been engaged
  • Take full responsibility if a sub-processor fails to comply with GDPR
  • Ensure that its personnel who will be processing the controller’s data are committed to keeping the data confidential
  • Assist the controller, when necessary and upon request from the controller, in complying with GDPR by carrying out data protection impact assessments
  • After completing the processing activities on the controller’s behalf and at the discretion of the controller, return or delete all personal data. 
    • If a processor is required to store the data to comply with another law, though, it may do so
  • Enter into a contract with the controller, commonly referred to as a “Data Protection Agreement”
  • Enter into a contract with each of its sub-processors, commonly referred to as a “Data Protection Agreement”

Sub-processors’ Requirements

Because GDPR’s classification of entities are relative, sub-processors will enter into agreements with the organization hiring them as a processor and the hiring organization as a controller. Each entity will then be subject to those types of entities’ requirements. 

Data Protection Agreement (DPA) Requirements

DPAs may either be a(n):

  • Individual contract
  • Standard contractual clause adopted by the European Commission or a Supervisory Authority 

DPAs must:

  • Bind the processor to the controller
  • Specify the:
    • Types of data to be processed
    • Duration of the processing
    • Reasons for the processing
    • Processor’s specific tasks & responsibilities
    • Risks to the rights and freedoms of the data subjects
  • Require a processor to:
    • Take all measures required in Article 32 (more on this below)
    • Assist the controller in:
      • Fulfilling the controller’s obligations to data subjects’ rights (more on this below)
      • Complying with Articles 32 - 36 (more on this below)
    • Have all sub-processor approved by the controller
    • Enter into a separate DPA with each of its sub-processors
    • After completing the processing activities on the controller’s behalf and at the discretion of the controller, return or delete all personal data (unless required to retain the data by another law)
    • Provide all necessary information to the controller in order:
      • To demonstrate compliance with GDPR
      • For the controller to conduct audits of the processor
    • Inform the controller if, in the processor’s opinion, any of the controller’s instructions violate GDPR

While not specifically required, most controllers require their processors to inform them of any data breaches within 24 hours of becoming aware of the breach.

GDPR Requirements (high level)

Covering GDPR’s requirements would take multiple articles, but at a high-level GDPR requires organizations to:

  • Respect the privacy rights of persons residing in the EU (not just EU citizens)
  • Ensure the confidentiality, integrity, availability and resilience of personal data

In this article, we referenced several GDPR Articles and the rights of data subjects. At a high level, these requirements are as follows:

  • Data Subjects’ Rights
  • The Right to Rectification
    • An individual may direct an organization to correct personal information that is incorrect
  • The Right to Be Forgotten
    • An individual may direct an organization to delete any and all of their personal data
  • The Right to Data Portability
    • Personal data must be easily transferable between related services
    • An individual may direct an organization to either provide them with a copy of easy transferable personal data or transfer the personal data to a similar type of service
  • The Right to Object
    • An individual may direct an organization to not process any and all their personal data
  • The Right to the Restriction of Processing
    • An individual may direct an organization to stop processing any and all their personal data
  • The Right of Access
    • An individual may direct an organization to provide them with all of their personal data, including:
          • Data the individual’s given to the organization
          • Data the organization has:
            • Collected on the individual
            • Inferred about the individuals
  • Article 32 - Security of Processing Personal Data
      • Processes and controls must be implemented to ensure that personal data is appropriately secured, depending on the type & sensitivity of the data processed
  • Article 33 - Breach Notification to Supervisory Authorities
    • Processors must promptly notify their controllers of any personal data breaches
    • Controllers must notify the appropriate Supervisory Authority that a personal data breach has occurred within 72 hours of becoming aware of the breach
  • Article 34 - Breach Notification to Data Subjects
    • Controllers must inform data subjects of any data breach immediately if the data breach is likely to cause a high degree of harm to the data subjects
    • Controllers do not have to inform each data subject impacted by a data breach if any of the following conditions are met:
        • The data was appropriately encrypted
        • The controller has taken appropriate steps to ensure harm to the data subjects resulting from the data breach are no longer likely to occur
        • Doing so would be too time-consuming, costly, etc. In these cases, a public notification is to be made.
    • Supervisory Authorities may require controllers to inform data subjects of any data breaches, regardless of impact on the data subjects
  • Article 35 - Data Protection Impact Assessment
    • If processing activities are likely to significantly affect the rights & freedoms of data subjects, controllers must carry out a data protection impact assessment
  • Article 36 - Prior Consultation with Supervisory Authorities 
    • If a data protection impact assessment finds a high level of risk to data subjects’ rights and freedoms without appropriate controls or compensating controls in place, the controller must consult with the appropriate supervisory authority prior to processing the data

What Your Organization Can Do

To ensure your organization complying with GDPR and to limit its exposure to risk:

Compliance-with-GDPR
  • Thoroughly vet all third-parties and fourth-parties that will touch personal data subject to GDPR
  • Enter into Data Protection Agreements with each of your third-parties who will be processing personal data subject to GDPR
  • For US-based companies, consider becoming US-EU Privacy Shield compliant
  • Be compliant with all of GDPR, including respecting the privacy rights of individuals residing in the EU (not just EU citizens)

 

Sources

  • Original, full text of GDPR
  • GDPR’s recitals (i.e., official guiding instructions)
  • Personal experience dealing with GDPR