Ensuring GDPR Compliance: A Deep Dive Into Due Diligence

Blog Post

Ensuring GDPR Compliance: A Deep Dive Into Due Diligence

by | Aug 29, 2023

The Compliance Specialist recently completed a project with a client who was required to demonstrate GDPR compliance within three months of signing a contract. Part of the project included a review of their due diligence process to ensure our client’s data protection practices were up to standard. In this article, I explore some of the essential steps we took to guarantee compliance and protect the privacy of individuals whose data was being shared with third parties.

Understanding Due Diligence in GDPR Terms

When an organisation shares personal data with third parties, it’s essential to be confident that the third party handles it responsibly too. This is where due diligence steps in. By going this extra mile, you gain reassurance, document the process, and potentially establish a contract with the third party. It’s like window shopping before making a purchase, making sure you’re getting what you expect.

In circumstances of mergers and acquisitions where data must be transferred to a different or additional controller, due diligence may be an obvious step but many clients find that when they simply partner for services with another organisation, they must supply certain criteria such as a data protection policy to demonstrate compliance with GDPR. This is GDPR due diligence in operation!

Deep Diving into Data Mapping

Our first step was to revisit the data mapping exercise from our previous audit. This exercise had formed the basis of the organisations Register of Processing Activities (RoPA) and allowed us to identify third parties with whom personal data was being shared. Sharing data with third parties is processing data in it’s own right and as a result the organisation must have a lawful basis for sharing it.

Determining the Relationship with Third Parties

The next step was to ascertain the relationship with the third parties; if they were operating as a data processor or data controller. Data processors have different obligations to Data Controllers such as reporting of breaches and the use of sub-contractors and as a result there are different contracts required; Data processing agreements (Data Controller to Data Processor) and Data Sharing Agreements (Data Controller to Data Controller).

What’s in the Shop Window – Privacy Policies

A straightforward yet essential step was to review the privacy policies of the third parties – which should be readily available on their websites. A privacy policy should provide an overview of how an entity processes data throughout its organisation. We also checked if the third party stored data outside the EEA, as this could lead to data transfers without GDPR protection and should prompt a more in-depth look.

A privacy policy that covers all aspects of data processing, shows the organisations awareness of GDPR obligations. Conversely, a narrow privacy policy that only addresses website data may indicate a lack of compliance with GDPR and requires a closer look. Most will have a contact email to make your enquiries to.

Something to watch out for is also any indication in the privacy policy of the location of the server the third party uses. Many organisations will be conscious of the implications of having European customers and thus select a server located in an EU country to store their data for their EU based clients. However, some larger US based organisations will steadfastly remain in the US. For example, at the time of writing this article, the ever popular San Francisco based Mail Chimp has always stored data on US servers and does not give any indication of moving.

Handling Contracts for Data Sharing

While the primary responsibility for ensuring a data sharing contract lies with the Data Controller (our client), some larger Data Processors may have data processing agreements on their websites (such as the aforementioned Mail Chimp), making compliance easier. However for smaller entities it may just be the case of sending on a contract to them and asking them for their agreement.  It’s important to note for third countries outside the European Economic Area (EEA), we rely on Model Standard Contract Clauses (SCC) issued by the European Commission to safeguard shared data.

The ultimate goal for any organisation sharing personal data is to have solid contracts in place, protecting the privacy and rights of the individuals whose data is shared. This can be a time-consuming process, as each third party must be engaged to negotiate and sign the contracts, must detail the types of data shared and any sub-processors involved. Requesting a data protection policy from the third party further demonstrates GDPR compliance. Once all contracts are signed and collated, they can be held on file as evidence of compliance.

Conclusion

Ensuring GDPR compliance through due diligence is often an overlooked but crucial aspect of data protection in today’s interconnected world. Understanding relationships with your third parties and simply not taking for granted that everyone is GDPR compliant is possibly the best first step you will take. Building trusting relationships with clients is precious, which unfortunately can all too easily be undone by a non-compliant third party. While the process may be complex and time-consuming, consider the fall out if an entity that you share data with suffers a breach and an investigation is looming. Ultimately, due diligence is an investment that pays off in the long run, even if you do bring in The Compliance Specialist to support you; it provides peace of mind for all parties involved.

By Margaret Julian is the founder/director of The Compliance Specialist, and winner of the Solo Business Woman Award 2023 for Network Ireland Waterford. The Compliance Specialist supports organisations and financial brokers to safeguard and comply with the requirements of GDPR Data Protection Legislation and Central Bank Regulation.

Subscribe to Our Newsletter