How to understand partner compliance for your own good
An important aspect of the new General Data Protection Regulation (GDPR,) which is easily overlooked, is potential liability from third parties who handle your customer data. If a data breach is caused by a partner, and your customer data is stolen, accounts are hijacked, or any other harm is done, substantial fines may be on their way –to your company.
To help, here are some primary things to consider when managing vendor partners and reviewing their compliance.
First, look at privacy policies and terms of service provided by your partner
Does the partner utilize cyber-security tools to prevent data theft such as 2FA or encryption?
The GDPR states that security tools must be in place to match the risks associated with data processing. 2FA is a good way to protect against account hijacking and encryption helps protect stored customer data.
Obtaining consent before data processing --no pre-ticked boxes allowed
Strict rules are in place that restrict data processing and client communications to activities that are mainly either needed to fulfill contractual obligations or deliver the service at the needed level of quality. So, for any other data processing, consent must be freely given, specific, informed, and unambiguous indication of the individual’s wishes. Thus, checking how consent is obtained can show if the new regulations are considered.
Look over the partner agreements and amend them where needed
Make sure they include the new regulations, then establish agreement between your company and the partner’s.
While there are additional aspects that to consider, these four provide a good indication if the right kind of steps have been taken, and if the partners you use can be relied on to provide a compliant service that will not leave you open to litigation, fines, or a PR nightmare.