Table of Contents Hide
Have you ensured the GDPR compliance of your subcontractors? You must verify that they comply with legal obligations. Review the park, contract signature, audits… We will tell you how to do it.
What is a subcontractor under GDPR compliance?
The comprehensive list includes any internal or external entity that may manipulate personal data – and sometimes collect it – on your behalf.
- Your IT solution providers (CRM, audience measurement solution, marketing automation…);
- Your service providers (technical integration, data hosting, maintenance, call centers, consulting…).
Why ensure the GDPR compliance of your subcontractors?
Imagine having to:
- organize representative staff elections via electronic voting;
- plan a contest campaign redirecting to a website to participate.
If these operations are not the core business of your company or even your department, you may want to outsource their execution. However, contrary to popular belief, completely outsourcing service means something other than delegating responsibility to your subcontractor. There are many reasons to check your subcontractors, which is one of the top priorities for managing your GDPR compliance.
- The IT solution provided to you may include modules designed by other players. In other words, external entities may manipulate data stored on your behalf.
- Some services will be delegated to other subcontractors by your service provider. You must therefore keep control of the situation and, in particular, master the use of subcontractors established outside the EU.
- You are legally obliged to check their GDPR compliance. Simply signing a contract that does not contain an up-to-date personal data clause may be reproached.
- You are accountable for the security breaches of your subcontractors. Were your data stored on a very insecure server? Your customer data (quotes, invoices) are accessible online on the Internet? Your service provider’s marketing automation solution was hacked? You must notify us of any personal data breach to the CNIL. The authority may also criticize you for choosing a supplier that provides only some of the required guarantees.
- When your customers and prospects ask you to communicate all their data in your possession, this includes data stored by your service providers.
In 2014, the CNIL issued a public warning to a telecom operator for failing to ensure the security level of its subcontractors, mainly through an audit.
How to ensure the GDPR compliance of your subcontractors?
- Make a list of your current subcontractors. Prioritize reviewing the most critical ones, then gradually examine all the others.
- Ensure that all your subcontractors are still necessary. Use this to clean up and stop relationships that no longer serve you (an abandoned game website or an online personalization solution you no longer use…).
- Update contracts, incorporate a new data protection clause, or strengthen existing ones.
- Identify service providers transferring data outside the European Union. These transfers must be secure, ideally by signing standard contractual clauses. This may involve suppliers giving access to data to their American parent companies or service providers using offshore subsidiaries or subcontractors…
- Check the security policy deployed by your suppliers. Feel free to plan for an audit in the most critical cases.
- Review your selection and procurement processes for new suppliers, particularly regarding calls for tenders and public contracts. Incorporate your legal data protection and IT security requirements.
Conclusion: Pay attention to the GDPR compliance of your suppliers
This is an excellent opportunity to optimize your supplier management. You can better control your data by streamlining it to what you need.
Your legal responsibilities also require serious oversight during both the selection and purchasing phase and throughout the service. This involves signing updated contracts, but it’s not just about that.
Ultimately, these significant efforts also enable you to justify your prospects and clients’ trust in you. Demonstrating a real commitment to data security is an argument that can set you apart from the competition.
For instance, Axeptio’s back-office lets you list your subcontractors and provide information on their compliance, including names, recipient countries for data transfers, and transfer framing mechanisms used.