The effort to ensure compliance with the European Union’s new General Data Protection Regulation (GDPR) does not stop at your front door or firewall. In recognition of the flow of data throughout the digital economy, the GDPR — which goes into effect May 25, 2018 — includes several provisions that require a company to work closely with its broad ecosystem of partners when processing the personal data of EU residents. These mutual dependencies and obligations will change how marketers select and work with vendors and service providers.
Consider three ways in which the GDPR complicates the relationship with vendors and other partners:
- Joint liability between controllers and processors. Existing EU data protection law applies to data controllers — the companies that determine the purpose and the means of data processing. The GDPR extends the compliance obligation to data processors — those companies that carry out processing at the direction of a controller. What’s more, the GDPR establishes joint liability for non-compliance in many cases, meaning that data processors (and sub-processors) could expose an “innocent” controller to fines or other sanctions. By the same token, processors will have to be far more careful about what business they take on.
- Responsibility for compliant data sourcing. The obligation to ensure that personal data has been acquired in a compliant manner (i.e., by way of the consumer’s consent, or another legal basis outlined in the regulation) applies not only to a company’s own first-party data but equally to data from other sources, such as a dealer network or a third-party data broker. Firms may need to create new and more detailed processes for verifying that sourced data is compliant.
- Data protection by design. The GDPR requires every affected firm to practice data protection by design (DPbD). This stipulates that data protection principles and practices should be built into every business process that handles personal data from the outset and end-to-end, not as an afterthought or add-on. The obligation to practice — and prove that you practice — DPbD extends to any selection process for what the regulation calls “producers of the products, services and applications” used in data processing (e.g., software vendors and digital agency partners).
Together, these and related GDPR requirements will transform the conversations marketers have with current and prospective vendors. Key questions include:
- How do your products/services help me practice data protection by design? Vendors should be willing and able to discuss features such as access controls, secure information exchange, data leakage prevention and breach detection. Beyond such security concerns, you should explore how the solution will enable marketers to work in a way that is both efficient and GDPR-compliant.
- What is your GDPR compliance strategy? An obvious sign of a vendor’s knowledge of and commitment to the GDPR is the state of its own compliance effort. Is it willing to reveal (and share best practice tips from) its own GDPR strategy? Does it have a data protection officer (DPO) responsible for overseeing data protection strategy and implementation to ensure compliance — a role mandated for some firms and recommended for others? How is it navigating the requirements for, say, consent or legitimate interest?
- What is your roadmap for GDPR support? May 25 is a starting point, not a deadline. What matters most is how you adapt to not only survive (i.e., avoid fines) but thrive (achieve competitive advantage) in the new environment defined by the GDPR. Look for vendors that not only ease the compliance effort but also have a perspective on successfully operating under the GDPR.
- How will your sales and service agreements reflect GDPR requirements? With controllers and processors now jointly responsible for compliance (as noted above), buyers might favor providers that have taken the initiative to craft appropriate contract terms.
- Show me the compliance! Okay, that’s not a question. But if you acquire personal data of EU residents from outside sources, you need to make very sure that it does not expose you to risk.
Building trust-based relationships between consumers and sellers is arguably the fundamental aim of the GDPR. Building similar relationships between marketers and vendors will be a key to business success in this new world.