By Mitch Hoppenworth
As you are likely aware, the GDPR compliance deadline is fast approaching—May 25th to be exact.
- Do you know what data you collect/store?
- Do you have a Data Privacy Officer?
- Have you conducted a Data Privacy Impact Assessment?
- Is your staff trained on EU privacy?
The questions may seem endless. But fear not: there is no shortage of information and assistance at your disposal to ready your organization for compliance.
Have you started your GDPR compliance efforts? Some say that more than 50% of organizations have not begun any work. If you have started, hopefully you were able to begin with a project plan, as this was never going to be an easy undertaking and the checklists continue to cascade. To be successful, you had to have internal cooperation and additional support—it’s not as if the regular day to day work has disappeared or you have been granted more hours in the day. Perhaps your organization budgeted for guidance and resources to complete this task; if that’s true for you, consider yourself lucky.
Your boss or the Board of Directors may already be quizzing you on GDPR compliance readiness. And if they haven’t, the expectation that they soon will has your brain roiling thinking about risks, weaknesses, and controls.
As a compliance professional, you already recognize that while third parties are a necessity for an effective functioning organization, they invite plenty of risk. When it comes to GDPR compliance, third parties who are processing EU personal data only magnify that risk.
But you already have an effective third-party vendor management program… right?! Most organizations have hundreds—if not thousands—of third parties. You know who those third parties are; you know if they are processing EU personal data on your behalf; you have contracts with third parties that protect you.
…Wait, some or all these pieces are not in place?!
Third party management for GDPR purposes can be a heavy lift and a large undertaking for an organization seeking GDPR compliance. Again, fear not: a Legal Process Outsourcing (LPO) company like Mindcrest can help. By leveraging our trained legal team and combining technology and process efficiencies Mindcrest can assist organizations with GDPR compliance and identification of third parties who are processing EU personal data.
It is important for organizations seeking GDPR compliance to assess the capabilities of those third parties who process EU personal data. Those third parties now become processors under the requirements of GDPR and organizations now known as controllers are responsible for their processing and compliance with EU personal data.
The fact that controllers cannot outsource their EU data processing responsibilities yet remain ultimately accountable are the reason assessments become so important. Assessments of third parties can become a time consuming and labor-intensive task. With several iterations of review and multiple touch points, Mindcrest has successfully solved client third party assessment challenges.
Once third parties have been identified as processors of EU data and assessments have been completed demonstrating their capabilities to process that data, contracts will need to be addressed. Third party processors of EU data will need their existing contracts amended to identify the processor GDPR responsibilities in addition to identifying the risk relationship between the parties. It’s to be expected that all third party processor contracts will need to be rewritten or amended under GDPR. Whether it’s contract drafting and negotiation or contract risk and obligation management, Mindcrest has years of experience in working to ensure client’s third parties contract compliance.
Identification, assessment, and contracting with third party processors are critical steps for GDPR compliance. Each step is resource intensive in addition to the compliance deadline fast approaching.
So now the question to ask yourself is:
Could you use some cost-effective expertise in meeting your GDPR compliance goals?