The General Data Protection Regulation (GDPR) is already having more impact on data privacy than perhaps any regulation in history. Because of its broad reach and heavy fines (up to 4% of revenue), GDPR is forcing every organization that collects personal data to examine its privacy practices and those of its vendors. In short, the entire Information Supply Chain is under scrutiny.
At Information Shield, we hear from many clients with this common question: Can you help with GDPR? But after just a few minutes of conversation we learn that many companies are not even aware of the most basic elements of their compliance requirement: Are they a Controller or Processor? The answer has a huge impact on the level of effort required to make a privacy program address GDPR.
In the parlance of GDPR, a “Controller” is any organization or person who collects personally identifiable information (PII) from individuals (“Data Subjects”) in the EU. For example, if I am a resident of the EU and apply for a personal bank loan, I am the Data Subject and the bank is the Controller. As long as my personal information never leaves the bank, the case is pretty simple. However, in the real world this rarely happens. Once a Controller starts to use third-parties to process my data, these third-parties now come under the umbrella of GDPR as a “Processor”. A Processor is any third-party that is used by the Controller to handle my personal information. So if my loan is sent to a credit agency for review, that agency is now considered a Processor under GDPR.
In obvious cases like my loan example, it is pretty easy to understand who is responsible for what. But the real world is much more complex. There are literally hundreds of thousands of businesses around the world that are collecting and processing data, but their compliance requirements are not so clear-cut. Many organizations support hundreds of customers that may be Controllers and collect data from thousands of people who may qualify as Data Subjects. Understanding your role in GDPR is the first and most essential step in defining what specific information security and data privacy controls the organization must implement.
Shaking the Information Supply Chain
If your organization is a “Controller” – it will feel the full force of GDPR. This means that all of the data protection requirements for building and managing a privacy program will apply to your organization. Your entire organization must adopt policies and practices to provide your customers with choices on how their data is collected, processed, stored and destroyed (Art. 12-23). For example, your organization must identify a Data Privacy Officer and prepare for communication and disclosures to regulatory bodies (Supervisory Authority – Art. 54). The Controller must also create a robust vendor risk management program to determine which vendors are “Processors” and must come under GDPR (Art. 44-50)
If you organization is a “Processor” the requirements are much less severe. As a Processor, you are still required to develop a robust information security program that protects customer data. But as it relates to GDPR, your main focus is to support your customers, which are the Data Controllers. If you are a Processor, the most likely impact on your business will be to support greater visibility into any personal data you process. For example, you may be required to delete records if a Data Subject exercises his or her “Right to be Forgotten” (Art. 17). You may be required to provide an accurate copy of the Data Subject data or indicate exactly how the data is used and protected within your organization.
In summary, if you are a Processor your main concern will be supporting your customers. If you are a Controller, you must interface with consumers (Data Subjects), authorities (Supervisory Authority), and third-parties (Controllers).
The GDPR Blanket
One of the mistakes we see companies make (especially in the US) is assuming that all of their vendors must fully comply with GDPR as a Controller. One organization throws a GDPR blanket across their entire supply chain. What they don’t realize is that this act of precaution creates a major ripple effect, because full GDPR compliance is much more costly that GDPR for a Processor.
We see vendor assessments where a vendor (that might possibly be a Processor) is given a list of questions. These questions apply to the full force of GDPR, and are not appropriate for the vendor organization. This creates a tremendous amount of scrambling in both organizations. The Vendor is afraid to push back because they have a paying customer. The Customer organization is in panic because their vendors are not properly filling out the forms. This entire process can be fixed if the Customer organization clearly understands their role in GDPR and those of their vendors.
Know Your Role in the Supply Chain
Articles 1-4 of GDPR tells your organization how GDPR applies. It has two qualifying parts: Material Scope (Art. 2) and Territorial Scope (Art. 3). Material Scope is defined to include organization that target goods or services at individuals in the EU. Territorial Scope is used to define the regulations to organization that either collect data of EU citizens, or are headquartered in another geography but still handle the data. Senior management, along with legal counsel, should carefully understand these definitions and then make a conscious declaration of the organization’s role and compliance requirements.
In summary, GDPR requires that every organization clearly understand its role in the Information Supply Chain. Each and every organization must adopt and document a robust information security program to protect information (Art. 32 – Security of processing). However, if your organization is not required to fully implement GDPR, don’t be afraid to push back in your channel. You might save your organization a lot of time and effort.