Article excerpts from a forthcoming book – 99 Articles on the GDPR
Summary: Yes through business-to-business agreements that state necessary steps and consequences for non-compliance to the GDPR.
- Partnerships put organizations at risk due to non-compliant data transfers
- Take care in accepting PII data from partners
- EU personal data should be protected through agreements and compliance requests with partners
Partnership strategy comes in forms that are not always readily agreed upon nor controlled by both parties. One such nuance in strategy is regulation. It’s not to say that regulation cannot be accounted for but extra-territorial compliance by a partner may at times be proffered in good faith. While an organization may not have to comply with laws of another country, the partner may fall under such jurisdiction. For example, if a U.S. organization is required to be GDPR compliant and has a business relationship with an E.U. organization, the E.U. organization can be told to stop doing business with the U.S. organization if it fails to regulate adequately. This failure means a company with limited customer privacy controls runs the risk of compromising important international business relationships.
From a regulatory standpoint, data protection authorities (DPA) will enforce data security practices and complaints made against violators. These authorities can hand out significant fines for violations (up to 4% of a company’s total worldwide revenue) or enact processes to stop business activities altogether. The repercussions to a partner can be minimal but may also effect its entire business model.
To this end, as data is being transferred, organizations should be careful when accepting PII data from their partners. To keep it simple, data that is being transferred should have all GDPR policy and controls regardless of the data is in-house or transferred between organizations. Even if the partner has permissions and has performed all the GDPR required steps, an organization, as a separate entity, still needs to get the same permissions and offer the same options to data subjects independent of the partner. A robust data sharing agreement can lessen the impact, but organizations should still do their due diligence. At the very least, it should identify which fields contain PII and which records have to be anonymized at the E.U. citizen’s request.
Partnerships are part of the lifeblood of technology success.
Business outcomes are made possible by understanding the process and technology of partners while also understanding how users’ data can be a liability if security and compliance are not placed at a premium to be GDPR compliant. As an organization, it’s best to put terms into contracts with suppliers and partners that cover risks — or at least their liability for them. For example, a business receiving personal data will seek contractual terms that guarantee all personal data has been obtained and processed lawfully (which, for a GDPR-compliant business will mean “lawfully” in terms of the GDPR). The GDPR impacts every business dealing with clients from the E.U., not only companies based in the E.U., so the appropriate safeguards should be in place to send and receive transfer of personal data to be rules on the international transfer of data, inter-business contractual arrangements and the natural adoption by multinational businesses of the toughest regulations.