When the Dutch company ClearView developed its facial recognition technology, it built a database of 30 billion faces, scraping photos of individuals from the internet and social media without their consent, converting each into a biometric code per face. The Netherlands data watchdog declared the database illegal, fining it $5 million for GDPR non-compliance, including violation of user privacy, transparency, and accountability. 

The case raised serious questions about the ethics of third-party use of the technology, which the company states mainly includes criminal investigation and law enforcement organizations. But what if a third party had access to the illegal database and could use it for malicious purposes? 

This is the importance of ensuring third-party GDPR compliance.

What is Third Party GDPR Compliance?

The General Data Protection Regulation (GDPR) is a European regulation that came into effect in 2018 and focuses on protecting the data privacy of individuals. To comply with the regulation, businesses must obtain both explicit and informed consent of customers. This means that they must voluntarily agree to the collection of their data and understand the processing activities, which includes the type of data being processed, the specific purpose of data processing, and the right to not agree to having their data processed. 


Explicit and informed consent extend also to any individual shared with third parties. As a result, it is crucial that organizations map and classify the third parties in their supply chain. In addition, it should be clearly stated in vendor contracts the responsibility of the third party in terms of data protection, security controls, and internal policies regarding data breaches.

Scope and Applicability of GDPR

The GDPR regulation is applicable to all businesses, organizations, companies, and individuals and their third parties who control or process data of customers in the European Union. However, in addition to the EU, the GDPR is applicable to additional European Economic Area (EEA) countries, such as the U.K, Iceland, Norway, and Lichtenstein. It is also applicable if the business is located outside the EU or EEA but targets customers residing in these regions.

The 7 Key GDPR Principles

The GDPR is founded on a number of basic principles which are clearly stated in Article 5 of the regulation. These principles were previously a part of the 1998 Data Protection Act with the exception of accountability. According to the text of the GDPR, the organization is the data controller while the third party is the data processor. However, both data controllers and data processors are required to abide by the seven foundational principles outlined in Article 5.

1) Lawfulness, Fairness, and Transparency

Data must be processed in a manner that respects the rights of individuals to privacy and build trust. Although data protection is different for every organization, a number of basic principles can still be applied regardless of its size or industry. 

These include:  

  • Lawfulness. Processing and collecting customer data with third parties must have a legal basis. It should not be processed in a manner that breaches the confidence or business contracts of customers.
  • Fairness. Data processing should be done in a manner that is expected and respectful of individual rights.
  • Transparency. Organizations must process data in a clear, open and honest manner, with customers understanding who is collecting their personal data and for what purpose. 

2) Purpose Limitation for Data Collection

Data must only be used for the purposes intended. For example, if personal data is being shared with a third-party marketing agency for email marketing purposes, it violates the purpose limitation of GDPR. In order to meet compliance, they would need to obtain explicit consent from the customers to use their personal data for these email campaigns. 

By training your employees about issues related to data and privacy, you help to prevent the accidental use of data in a manner that fails to comply with GDPR. In the event of non-compliance with the purpose limitation, both the third party and the organization would be liable and subject to financial penalties.

3) Data Minimization

The organization should only collect the data it needs for the purpose intended, and not collect extra data to have “just in case.” For example, if an e-commerce company uses a third-party payment processor to collect payments from customers, that third party should only collect the information it needs, such as the customer’s name, address, and payment information. 

In addition to GDPR compliance, data minimization also has other useful benefits. With less data available for malicious actors to breach, you’ve diminished the impact of a data breach. You’ll also help your organization comply more easily with storage limitations.

4) How Data Accuracy is Important to GDPR

Data should also not be misleading or incorrect, and data processors and controllers should be doing all that they can to ensure that the data is up-to-date and correct. Although the GDPR does not define the term “accurate,” it states that “reasonable steps should be taken” to ensure data is accurate, used for the purpose stated and either erased or corrected as soon as possible. For example, in addition to having a link where customers can update their emails for running an email campaign, the organization or marketing agency should regularly verify whether or not the email addresses in their database are valid.

5) Storage Limitations

Data should not be stored if it has already fulfilled its purpose and is no longer necessary. For example, although a financial organization is responsible for compliance with GDPR data storage requirements, it is also responsible for ensuring that its cloud provider stores any data it shares with it securely. It should clearly stipulate the limitations involved in data storage in its third-party contracts and have regular third-party risk assessments that verify the access controls, data protection, and risk management policies of the cloud provider.

6) Integrity and Confidentiality

Data should be accurate (integrity) and available only to those with the proper permissions (confidentiality). According to the CIA Triad, confidentiality could include encryption in addition to security controls such as MFA, and integrity would include checksum and hash functions and transaction logging to record the amount of money transferred from account to account. For example, if a financial organization uses a third-party data management and storage service, it must ensure the service implements data integrity policies through regular backups, integrity checks, and audit logs that record who accessed or modified data and when.

7) Accountability 

The final principle requires organizations to document their compliance with the other six principles. For example, in the event of a data breach, the organization is responsible for providing documentation of how both it and its third parties have done all that it could to prevent the data breach. This could include adhering to compliance with various regulations and security standards (e.g, HIPAA), holding certifications such as ISO 27001, and training employees about the importance of data protection and privacy. 

Organizations with more than 250 employees must also document their data processing policies, explaining how long the data is kept, why it’s processed and the security measures protecting it. They may also require hiring a point of contact specifically related to GDPR compliance, such as a Data Protection Officer (DPO).

GDPR Compliance Checklist

Since the GDPR requirements are extensive they include additional requirements related to the rest of the GDPR text. To achieve full compliance, you’ll want to follow a checklist similar to the one below.

Appoint a Data Protection Officer (DPO)

Under the GDPR, certain organizations must appoint a Data Protection Officer to be responsible for the protection of personal data if they meet certain criteria. 

These criteria include any one of the following: 

  • Is a “public body” (e.g. government agency, public institutions)
  • Uses data to regularly monitor individuals (e.g, monitoring location data in real-time) 
  • Monitors individuals on a large scale, (e.g., behavioral advertising by a search engine)
  • Processing on a large scale of data relating to criminal convictions and offences

This encompasses six tasks that include: 

  • Answering questions related to data protection 
  • Communicating data protection policies of the GDPR to employees
  • Monitoring the organization’s compliance with GDPR 
  • Performing data protection impact assessments
  • Cooperating with the data protection supervisory authority
  • Being the point of contact for the data protection supervisory authority on any matter related to data protection 

Conduct a Data Audit

Data audits ensure compliance with GDPR by assessing how your organization collects, uses, and stores data. If your organization operates online, handles sensitive data, or has suffered a data breach, you’ll need to consider conducting a data audit. Data audits should be conducted regularly, but especially at key points in your organization’s development, such as when there is a merger or acquisition, regulatory changes, or after a data breach. They should include assessments of how third parties collect, use, and store data as well during these key points to ensure their third parties are not in violation of GDPR.

Update Privacy Notices

Documents that explain how the organization processes personal data should be written in clear language, transparent, easily accessible, and free of charge. This document, or privacy notice, should be updated whenever the process for personal data changes. These changes include but are not limited to a change in the supplier or third party that the organization shares data with, the purpose of processing the data, the data retention period, and the type of data category processed. Once a privacy notice is updated, it must be communicated to the relevant parties. 

Even if the data is shared with a third party outside of the EU, the privacy notice must specifically state the type of data transfer, security policies in place for the data, and any legal changes in data transfer policies.

Implement Data Subject Rights

Individuals whose data is processed (data subjects) have the right to access their data, understand how it is processed and the purpose for which the data is being collected. They also have the right to correct their data, request that it be deleted, receive it in a machine-readable format, restrict its processing under certain conditions, and opt out of their data being processed. They can also opt out of automated decisions regarding data collection, such as profiling. The organization must be able to implement data subject requests quickly (typically within one month) and free of charge.

Ensure Data Processing Agreements

Data Processing Agreements (DPAs) are contracts between the data controller and the data processor that include how the data is processed, measures for confidentiality and security of the data and explicit terms for any sub-processing of the data. It also includes measures for data subject rights, requirements for breach notification, the return or erasure of data and make information available in the event of an audit or for compliance purposes. DPAs make sure that the data processor (e.g., the third party) uses data only in compliance with GDPR.

Establish Data Protection Impact Assessments (DPIAs)

DPIAs help organizations assess the risks to personal data in their data processing, exploring ways to mitigate the risk. This is done through a combination of both technical measures such as access controls and organizational policies such as employee awareness. When the risk to personal data is high, a DPA should be consulted. All DPIAs should include an assessment of the risk associated with sharing personal data with third parties.

Third Party GDPR Compliance Challenges

One of the biggest challenges with achieving third-party GDPR compliance is the management of third parties. Organizations switch suppliers and service providers frequently, and these third parties in turn often subcontract their services to fourth parties. Beyond identifying these dynamic third-party services, organizations must be clear on the services each delivers and the sensitive data can access. Organizations can mitigate these challenges by conducting comprehensive third-party risk assessments, implementing vendor compliance agreements, and regular monitoring and auditing of vendor compliance.

How Panorays Helps You Achieving Third Party GDPR Compliance

Panorays delivers a contextual approach to third-party cyber risk management. With its supply chain discovery and mapping of third parties and dynamic Risk DNA score that calculates an evolving and contextual risk for each vendor, you can identify third parties and exactly which risk should be prioritized. The Risk DNA Score includes automating a cybersecurity questionnaire based on GDPR compliance requirements that include relevant questions for your third parties as well. 

Its AI-powered assessments also help to answer the questionnaire quickly, with zero interaction required from the supplier by scraping through uploaded documents and publicly available information to automatically find relevant answers for the questionnaire. It also enables you to easily share each third party’s risk profile with relevant both stakeholders internally and externally. 

With Panoray’s continuous threat detection and automated steps for remediation of risks, you can also ensure that both you and your third parties are GDPR-compliant even as regulations, your supply chain, cybersecurity risks, and technology evolve. Want to learn how you can move beyond compliance and become proactive with your third-party GDPR compliance? Contact Panorays to learn more.

FAQs