The General Data Protection Regulation (GDPR) is replacing existing EU data privacy regulations. Organizations that are impacted by the regulation must achieve GDPR compliance by May 25, 2018. Among the many business processes it impacts, GDPR may significantly change your company’s selection of business software vendors.
While this blog post isn’t a GDPR deep-dive (a weighty undertaking), it does touch on some important considerations for companies that seek GDPR-compliant business software. You may also want to reference our recent post on how to determine whether or not to comply with GDPR, if your company is still in the decision-making phase.
Under GDPR, “data controllers” collect and use personal data to achieve a purpose – for example, companies may wish to collect various kinds of employee data for use in business processes. The controllers may rely on “data processors” in the form of cloud software vendors, whose solutions enable the desired process.
So, as you are evaluating your cloud software vendors, there are several questions you may want to ask them to ensure they’re meeting your company’s GDPR compliancy requirements.
Ask — Will the system permit you to include or link to your own privacy notice, where you set out your basis for the collection of the personal data you will enter into the system?
Where such business software is concerned, your company may be collecting and entering the personal data of employees, customers, contractors, and other parties into the system. This brings certain obligations, including informing the data subjects of your purpose for collection, and describing how you handle the data thereafter.
If it isn’t possible or desirable to include or link to your own privacy notice, consider how your company will otherwise inform data subjects of the basis and purpose for data collection.
Ask – how does your system handle data access permissions? Can user rights to data be restricted to only what is appropriate for the user’s role?
The software must also permit you to configure for data privacy; so that users see only what they should see, and nothing more. Business software is seldom fully configured out of the box; you will likely be defining the user rights and roles for your system.
Ask – Can you demonstrate your abilities to implement the technical and organizational measures necessary to meet the requirements of the GDPR? Do you use a certification framework (such as Privacy Shield for U.S. companies) or other safeguards to govern cross-border transfers of data?
Review the software vendor’s security and data privacy practices for GDPR compliance, as well as their privacy notice and policies.
Ensure that the vendor understands GDPR compliance is a requirement. Check the contract to ensure the necessary provisions are present.
The contract should set out the provisions necessary for GDPR compliance on the part of the data processor. It should describe the processing, including the types of data and categories of data subjects. It should also set out how and when data will be returned or deleted after processing. Often, these provisions are set out in a data processing annex to the contract.
Ask the vendor to fully describe all the ways they will process the data you enter into the system, to ensure that you and the processor are clear about your intentions.
Processors have other obligations to controllers, including requirements to process data only as per the instructions of controller. This can be confusing – the use of business software doesn’t seem to include overtly “instructing” the vendor. However, the instructions of the controller are embodied in the controller’s selection of the vendor’s software, because the software must meet the vendor’s specific requirements. Furthermore, the controller will usually provide additional instructions in the form of configuration requirements.
Ask – who are your subprocessors? How will you inform me of any changes to your subprocessors?
There are also specific conditions in GDPR for processors’ engaging other processors (called “subprocessors”). Under the GDPR, processors are prohibited from engaging the services of another processor without prior written permission of the controller. The controller also has the right to object to the addition or replacement of processors. Accordingly, the processor must inform the controller beforehand to provide the opportunity to object.
The considerations discussed here are just the tip of the GDPR iceberg. Hopefully, they will provide you with food for thought as the deadline for compliance draws ever closer.