Why Your Software Vendors Need to be GDPR Compliant

New privacy and data protection laws come in to force on May 25th, 2018 – are you ready yet? If you handle sensitive personal information, then you need to be compliant with the EU’s General Data Protection Regulation (GPDR).

So far this is European legislation, but even American firms can fall foul of this far-reaching legislation, and the consequences of getting it wrong are serious. The rules go beyond your own processes. You need to make sure that your software vendors and other third-party partners and suppliers are GDPR compliant. If they aren’t, then you could face large fines or even prison.

Simply put, the new EU directive has determined that the company on the front line, which uses outside suppliers to process payments and other sensitive information, is now the ‘controller’. The third-party supplier is the ‘processor’ and is now seen as acting on the controller’s behalf.

That subtle change in the law means that as the controller, you’re liable for your outside suppliers – and a major failing on their part could have dire consequences for everybody. Ignorance is no defense and this legal sidestep effectively means you must vet your suppliers and make sure they’re compliant with the new regulations.

Heavy Fines and Prison Terms

Serious breaches can result in fines of more than $17 million for both you and your software partner, as you are the data controller. Prison is also a very real possibility and the regulators will want to set examples early on.

If you are dragged into a case like this due to a failing on your software vendor’s part, then it can cost a vast amount of money, time, and stress. You can also find yourself forced to take your software vendor to court, and that can turn the whole procedure into an energy-sapping, never-ending nightmare.

You must make sure that you’re compliant with these new rules if you work with data in the European Union. The simple way to do so is to ask these six questions to each and every one of your software vendors and ask for a formal reply.

Time to Audit All Suppliers

If you haven’t already, the long-term solution is to take the time to audit all of your outside processes now and make sure that your providers understand the law and are totally compliant. This is a good chance to look at your business and make sure that all your providers work to the highest standards. This includes:

• A review your software vendors’ terms of use and privacy policies to make sure they are truly complying with GDPR. Many software or SaaS companies will claim to be GDPR compliant, but their legalese says otherwise.
• A review of your use of the software to make sure your company will not fall short of GDPR laws. Depending on your planned use of the software, you may have to either change your internal processes to continue using it in a compliant fashion, or stop using altogether.

That’s the only way to future-proof your business and make sure that you never get caught in the ever-increasing web of privacy regulations and red-tape. For now, though, take the GDPR seriously and make sure you and your software vendors are fully compliant.