GDPR: 3rd party data processors

We’re still coming at you with some hard GDPR truths! Every day that goes by is one small step towards GDPR’s arrival.

Hopefully, by now, you’ve taken a good look at your internal processes. Once these are compliant with GDPR, you’re well on your way to full compliance. The next step is to take a look at your 3rd party data processors.

We’ll discuss some key ones that many companies use every day. Not sure whether one of your suppliers or the services you utilise counts? Well, ask yourself this:

Are they authorised to process data on our behalf?

If the answer is yes, they’re a 3rd party data processor.

Before we get into the nitty-gritty, though, let’s answer an important question that I’m sure many of you are asking:

What is a 3rd party data processor?

The question above should give you some idea but the recognised definition is:

An entity that processes personally identifiable information on behalf of a controller.

In this example, you are the controller and a 3rd party processor is a service provider or system that processes information on your behalf:

  • Email service providers
  • Customer relationship management systems (CRM)
  • Web hosting providers
  • Human resource management systems (HRM)

These are just a few examples. If you’re unsure, remember that if they are handling and processing data for you, then they have to be GDPR compliant. It’s still your data and, ultimately, you’re responsible for it, regardless of whether you’re processing it or not.

What can you do to ensure they’re compliant?

If you’re trusting a 3rd party data processor with your data then it’s your responsibility to ensure their handling of that data is compliant with GDPR. If that 3rd party is uncompliant and charged under GDPR, you will be just as liable as they are, if your data is involved in these poor practices.

To ensure that they’re compliant, it’s important to assess your current 3rd party data processors.

Firstly, are they based in the US? If so, it may be time to switch to an EU-based provider. This is because the US will not be legally obligated to be compliant with GDPR. That being said, a read through their privacy policy and a discussion with them would be advisable if you’d like to stay with them.

Secondly, do some research. Check to see whether your provider has made any public releases or written any articles that demonstrate how they’re adapting to GDPR. If they haven’t, it might be time to give them a call and find out what they’re doing about it.

The key information to know from your 3rd party data processors is: where is your data, who has access to it, and how is your data being stored and protected? Once you know this, you’ll be able to make an informed decision on whether you stick with them or move on.

Want to talk to us about your marketing and how it could be affected by GDPR? Feel free to send us a message on Facebook or tweet at us (@weareredpepper).


Content Marketing Manager