Ahead of the curve
For just over a year now Angry Creative (Pragmatic) has been beavering away in the background working on information security and data protection. Initially we worked hard to achieve ISO 27001 accreditation for information security and then, immediately following, committed significant resources to delivering high end GDPR compliance documentation and implementations for ourselves and our clients.
Whilst we’re happy and confident that our GDPR ducks are aligned as well as is humanly possible right now, we did encounter a couple of significant issues when attempting to apply GDPR to the “real world” of our business, and, as is our style, we want to share our insights with you.
The GDPR implementation issues we encountered were in relation to: Transfers of personal data to third parties and third countries; and Cookie Consent. We’re going to deal with each of these issues in separate blog posts. Starting with the first.
The burdensome nature of Third Party and Third Country handling under GDPR
Third Parties
In Article 28(3) the GDPR stipulates that “Processing by a processor shall be governed by a contract or other legal act under Union or Member State law”.
Article 28(2) states that “The processor shall not engage another processor without prior specific or general written authorisation of the controller.”
Additionally, Article 28(4) makes it clear that “Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor … shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law.“
So, as a digital agency under GDPR, Angry Creative inherently occupies the position of a processor of the data our clients control. Therefore, given the above, we need a new service contract signed with every client, each of which must contain a GDPR compliant data protection schedule. We also need written consent from each client to transfer their data to any of our service providers (third parties) and, if we are to avoid liability for that transferred data, we need a contract with each service provider that’s at least as robust as the contracts we have with our clients.
That, in a nutshell, reveals the burdensome nature of GDPR in this context. We have hundreds of clients for whom taking on a new service contract is no trivial matter. Additionally, in this case, when considering those contracts, each client must review a list of service providers and consent to our continued usage of those and, last but by no means least, we are charged with the essentially impossible task of agreeing individual GDPR compliant contracts with each of those providers. Microsoft, for instance, are not going to engage in an individual contract negotiation for our use of their Office365 service.
It should, however, be remembered that all this, at heart, is a valiant attempt by the GDPR to ensure robust ongoing data protection for EU member personal information as it naturally moves into organisations and on to their service providers.. and on again to their service provider’s service providers and so on. In other words it’s no longer ok just to transfer personal data to third parties without first ensuring that the destination of that transfer is governed by data protection measures at least as vigorous as the GDPR.
None the less, as is obvious, this is not a trivial undertaking for us or our clients.
Third Countries
GDPR chapter 5 deals with “Transfers of personal data to third countries or international organisations” and can be viewed, in the context of this post, alongside the third party GDPR dictates detailed above, giving rise, as it does, to exactly the same issues. In both cases the GDPR is simply attempting to maintain data protection as data moves around and, in both cases, that protection must be rigorous and demonstrable.
Companies like us use a whole host of service providers, most of which, as a matter of policy, do not negotiate individual service contracts and some of which, at best, offered rather leaky GDPR compliance documentation and implementations. Again though, this, like the vast majority of the GDPR, is a honourable attempt to fully respect the personal data of European Union members even as it makes it’s way around the world and is transferred from organisation to organisation.
A Pragmatic Solution
As we researched how best to handle these issues we noticed that many organisations took a very expedient approach, simply saying in their privacy notice that data will be transferred to third parties and/or third countries and that by continuing to use their website and/or services you, the visitor and/or service user, implicitly agree to those transfers. In our opinion that approach does not respect the spirit of the GDPR and, most likely, is out of alignment with the letter of the regulations to boot.
Not satisfied with that approach we decided instead to follow a belt and braces route by conducting what the GDPR calls a data protection impact assessment on all our service providers. We undertook detailed research into the data protection credentials of every service provider we use, applying additional focus on the end-point geographical destinations of the personal data we process for our clients. The table we’ve drawn up is now included in our new GDPR compliant service contracts and elucidates all information anyone needs to decide if personal data entrusted to us will be protected. This covers the need to have written consent to transfer personal data to these providers wherever they are in the world.