Opinion

Are your data processors GDPR compliant?

Your compliancy depends on your data processors, and their processors…

GDPR Auditing is a an established company providing auditing, training and consultancy services focused on the EU General Data Protection Regulation.

Its not just your business that needs to be GDPR compliant, your service providers if processing personal Identifiable Information (PII) for your business also need to be compliant and its your responsibility to ensure they, and any other providers in the processing chain, are.

The EU GDPR comes into effect on the 25th May 2018 and applies to ANY business that processes personal data relating to EU citizens. You must ensure that your service contracts with your service providers (defined as data processors by the GDPR) require them to process your data in line with the regulation.

We have found a number of examples where service providers do not meet basic good practice when it comes to data privacy and in some cases not even aware of the GDPR.

For instance a recent article by Planet Verify’s Olga Padulosi found that “8 FROM 10 ACCOUNTANTS ARE NOT AWARE OF EU GDPR”. This is in-line with our experience putting their clients at risk.

We would have thought that in the highly regulated world of chartered accounts complying with new and changing regulations, rules and laws would be second nature.

It would seem not.

The situation can get more complex when processors outsource their functions to other processors, for example IT systems, creating a dependency chain for compliance.

Ensure service providers that process PII for your business are obliged, by contract clauses, to comply with the GDPR, before the regulation comes into effect. Without this in place your business will be liable for any administrative fines should there be a breach of your PII data.

 

© GDPR Auditing 2017
The information provided in this post is for general information only and is not intended to provide legal advice.