30 Nov 2017 • BLOG - News
GDPR Journal: The Steps We Took Towards Working With 3rd Party Providers
30 Nov 2017
Welcome to the fourth instalment of the Mailjet (and my personal) GDPR Journal. So far we’ve looked at how I became a DPO, our GDPR compliance roadmap and how I updated our Privacy Policy to be in line with GDPR. It’s been a rollercoaster and the saga is set to continue as the next step was to look at not just our internal processes, but those of our partners and 3rd party providers.
Why am I focusing on this for a whole journal entry? I hear you ask. Well, because one of our biggest challenges in getting through our GDPR compliance roadmap was to perform an audit of our entire privacy framework. In other words, to audit all our existing third-party providers and software applications to ensure that they themselves were also meeting the GDPR requirements on data protection.
Why are we talking about our own providers?
At Mailjet, we collect and process the personal data of our clients (names, email addresses, IP addresses etc.) and under GDPR we must ensure that our entire privacy framework respects the rules GDPR brings into effect. So, that means our own providers as well. Why? Because some of our data flows to these solutions, thus data protection must be compliant on all fronts.
In a post-GDPR era, we are all equally responsible for the protection of data subjects’ personal data. Meaning, not only will our clients (Data Controllers) be responsible, but also the Data Processors (in this case us), our own providers, their providers and so forth.
What kind of providers are we talking about?
Well it could be; CRM solutions used by Sales and Marketing teams (i.e. Salesforce), cloud IT services (i.e. Google, Amazon) social interaction & messaging systems used by Marketing and Support teams (i.e. Slack, Messenger), project management tools used by Product and Development teams, external payroll & HR management solutions used by Administrative teams. I’m sure you probably use some tools like these.
Being a small agile business, each department regularly uses various online solutions and applications to help with their day to day activities. In the past, a member of Team Mailjet would most likely find a free or relatively cheap tool that could help his or her team, then they would quickly sign-up without reading much of the terms and conditions behind the tool.
So, after functioning in this manner for several years, we found ourselves in a position where the company now had subscribed to various applications across its different departments — and all without much control over the access, uses and information collected.
Ok, so where did we start?
The list was grand and the audit task proved quite daunting. Let’s see my action plan… Here are the key steps we took in order to complete the internal audit and analysis:
1. A complete list of all service providers and applications
The list needed to include;
- The providers and applications used.
- The exact customer data that was collected and transferred to these specific providers.
- Why the data was used.
- Where they stored the data.
- If there were any data transfers.
- What it meant to our clients.
We included other useful information in this third-party provider list such as, the user access rights involved and the dates of the last verifications.
To compile this list, we set aside some time with each department head and began. The exercise actually proved to not only be beneficial for GDPR compliance, but also helps immensely with the control of a growing business, such as Mailjet.
This specific step took us several months. So start now if you haven’t already done so, because the 25th of May is creeping up on us quickly!
2. Ask your 3rd party providers some important questions
Next on my list was to contact every provider and ask some tough questions. I’m a big fan of making light of a big task, so I decided the best approach was to send out a questionnaire asking for details on their information security and data protection measures. The form included questions on;
- Information security.
- Risk management policies.
- Employee training.
- Physical security.
- Access control measures.
- Data protection organization and technical measures.
- Take a look for yourself at the 12 questions we asked.
3. Assess the level of risk
Depending on the responses I received back, I then had to asses the risks of transferring any of our own clients’ data to their platforms and centers. This essentially meant verifying their measures, ensuring if they were up to par with industry standards, as well as checking if they were on the right track to data protection compliance.
4. Review all contracts in place and introduce new clauses and/or amendments
As part of the risk assessment, I also had to make sure that we put in place specific contractual clauses and amendments to ensure at all times while we are using their services that these data privacy measures were respected.
I then proposed various EU model clauses or data protection agreements with these providers to ensure we had the correct documentation in place. And, in some cases negotiate the limits of liability between our companies in case of a third-party claim.
5. Switch to GDPR compliant providers
In some cases, the responses I received back were vague or elusive, to say the least. In these cases, a quick evaluation was needed of whether we could improve their commitment levels or switch to providers that could ensure they were on the right track. We started this process early, so that we could switch over to another provider should the need arise. So, be sure to give yourself enough time.
6. Review and control: Right to audit and yearly check
Next, I made sure to include in all contracts and amendments the right to audit the provider upon notice. That way we could make sure if at any moment our providers were not just talking the talk, but also walking the walk.
And finally, now that we’ve successfully jumped this massive hurdle, we need to ensure we update it on a yearly basis. This means that we will need to verify that all our third-party providers continue to maintain the same level of technical and organizational measures to ensure their security and data protection. How will we do this?
- Perform audits.
- Re-send the third party questionnaire for updates.
- Continue to ask the tough questions.
So there you have it, six steps to ensure all your third-party providers are GDPR compliant.
Have you reviewed your 3rd party providers? Or are you now thinking you need to? Share your experience with Mailjet on Twitter.