Every company has relationships with third parties (e.g. software providers, public authorities, suppliers, etc.). Over the course of these business relationships, personal data is almost always shared between the parties. This is often a prerequisite for the provision of a service by a third party.
Let’s assume your marketing department uses software to send out the monthly newsletter. In order for the newsletter to be sent to all customers, your company must share the email addresses and thus the personal data of your customers to the software provider.
To ensure that the data remains protected, it is necessary to meet certain requirements and implement protective measures. Third-party risk management is therefore an essential part of every company’s data protection management, but is unfortunately often neglected and then can represent one of the company’s biggest sources of hidden risk.
Whenever you share personal data with a third party, the UK GDPR, Data Protection Act 2018 and other relevant data protection laws require you to verify that you are adequately protecting user data from any unauthorised access. For example, if one of your third-party providers suffers a data breach and your customers’ personal data is disclosed, your company will be responsible for resolution, reaction and communication, and may suffer severe reputational and operational damage; in addition to fines.
Some level of risk in data transfer is always present. Therefore, it is crucial that you carefully review and assess your third-party providers and understand any dangers they may pose before sharing your customers’ personal data with them.
Successful third-party risk management involves implementing legal safeguards for data transfers in addition to a detailed recipient registry. One of the most well-known transfer mechanisms are, for example, the standard contractual clauses that are specifically used for data transfers outside the EU, as well as relying on adequacy decisions, binding corporate rules, exemptions or other legal safeguards. These mechanisms are binding documents or legal bases for the data transfer and serve to ensure the protection of the personal data shared.
We refer to recipients when we talk about a natural or legal person, public authority, agency, company or other body to which personal data is disclosed, whether or not it is a third party. Any time data is transferred to a person or entity outside the data controller, they are considered recipients, so it is necessary to inform the data subjects of such transfers. It is necessary to keep a register of all recipients to ensure that this information can be consulted at any time.
Name and business name of the recipient
Recipient category and the role of the recipient (e.g. processor or controller)
Legal basis for the data transfer
Data processing agreements
Transfer mechanisms: standard contractual clauses or other relevant documents for data transfer (e.g. BCR’s (binding corporate rules) or similar)