Six months and counting— How GDPR impacts third-party management

December 06, 2017//Ellen Neveux

Last Updated: November 18, 2020

In May 2018, the European Union’s General Data Protection Regulation (GDPR) goes live. The regulation, which is intended to “harmonize data privacy laws across Europe,” has American companies pushing toward compliance. Have you updated your third-party vendor agreements lately?

Long concerned with data privacy and protection, the European Commission passed the GDPR, a sweeping standard that replaces the European Data Protection Directive which was adopted in 1995.

The EU is moving steadily forward on issues of data privacy, protection, and internet neutrality, creating a challenge for global internet companies who move and collect data across international borders 24/7. The GDPR goes into effect on May 25, 2018.

A few things you need to know about GDPR

The scope of the GDPR is extensive. If the rule applies to you, and you are not yet taking steps toward compliance, you may have a problem. To answer the question about whether GDPR is of concern to your business, answer this question:

Does your company or enterprise “offer goods or services to, or monitor the behavior of EU data subjects?” The regulation “applies to all companies processing and holding the personal data of subjects residing in the European Union, regardless of the company’s location.”

In other words, if you process any information on citizens of the EU, the answer is “yes.” Personal data includes an email address, a photograph, computer IP address, any information on social media, all personal information like banking or medical information—even a name. Parental consent is required to process any data of children under 16, in no circumstances younger than 13 years of age.

The regulation applies to your third-party vendors as well. Here are some standout points about the GDPR you should know:

  • The scope of the GDPR is global. Whether inside or outside of the EU, anywhere on the planet, businesses processing the personal data of EU citizens are subject to this regulation.
  • The penalties for non-compliance are steep. If you do not have your records in order, you can be charged 2% of your annual global revenue. Serious breach of the GDPR by you, or your third party contractors, could cost you 4% of your annual global revenue or about $23 million—whichever is greater. Certain record-keeping requirements may not apply to companies that employ fewer than 250 people.
  • Understanding the language of the regulation is important. A “controller” is the “entity that determines the purposes, conditions, and means” of processing personal data. A “processor” is an “entity which processes personal data on behalf” of the controller. If the processor steps out of line on compliance, the controller—your company—can also be found liable.

Just some of the rights provided to EU citizens by the GDPR include.

  • Victims must be notified about a breach of their data within 72 hours of knowledge by the company.
  • Citizens can obtain information from controller companies about whether their data is being processed, why, and where—the controller must provide an electronic copy of the information upon request.
  • An EU citizen can request their personal data be erased or the processing of that data discontinued.
  • Controllers and processors must build data protection into the architecture of their system, and limit access to their system.

A good time for compliance—get it in writing.

About SecureLink

At SecureLink, we understand that the relationship between enterprises and their third-party vendors must be secure – but can also be difficult to manage. Our solution allows enterprises to maintain full control of remote access through a platform built specifically to secure vendor connections with the goal of data and network protection.

Our sole focus is secure third-party remote access. For highly regulated enterprise organizations, SecureLink Enterprise has pioneered a secure remote access platform. SecureLink for enterprise allows an organization to identify, control, and audit third-party vendors. For vendors, SecureLink is the gold standard remote access support platform because it is easy, efficient, and ensures compliance and reduces liability when supporting customers.

Subscribe to the SecureLink Blog.
close close