2 minute read
Vendor Handling: A Difficult Task under GDPR
By Zoe Stylianou, Data Privacy Officer, Bank of Cyprus
The new data privacy regulation that came into effect a year ago, known as GDPR, brought among other obligations and tasks the need of the Controllers to carefully evaluate engagements with vendors, as they will be indirectly responsible for choosing and cooperating with those who do not consider GDPR as an important element in carrying out the services that they have been engaged to provide. The test of Controller to Processor to establish roles is essential to determine the relation between the two parties to each engagement. The establishment of the roles sets down the obligations of each party has towards the other as well as to compliance with the requirements of the Regulation. Controllers should pay special attention when choosing their Processors. They must look out for and choose associates that give great value to data privacy and have committed resources to complying with the Regulation by enriching their own systems’ privacy and information security, have trained their employees in privacy culture, reviewed internal processes taking GDPR principles into consideration, have prepared the Register of Processing Activities, appointed a DPO, have drafted a privacy notice, introduced processes for the prompt identification of leakages and the immediate updating of the Controller. Processors must not only be ready to carry out the processing they are asked for under the engagement but must also be ready to cooperate with the Controller, if necessary, on the execution of data subject rights and the DPIAs that the Controller will be dealing with. When subcontracting, Processors must pay special attention to the sub-contractors they choose, if they are in Europe or not and if they exercise due care regarding data privacy matters. If this is not the case, the Controller must be doubly concerned about having to deal not only with the Processor but also the sub-processor. Controllers are usually faced with longstanding engagements with Processors who are not yet ready to proceed with GDPR-related changes and, most of the time, need guidance and advice from the Controllers on privacy matters. This is a very difficult, unavoidable and timeconsuming task for the Controller as, in most cases, replacing a vendor is not an option. This causes increased headaches to Controllers and negotiations and discussions tend to be endless. Thus, Controllers post-GDPR must ensure that they choose their vendors very carefully and do not compromise on privacy obligations. This is the only way to push the market to GDPR maturity.
