Broader and deeper vendor GDPR risk
Five articles in the GDPR add new requirements or deepen existing obligations from the legacy 1995 EU Directive on Data Protection:
- Article 28, “Processor,” requires contractual protections with data processors and their sub-processors, adequate data protection, and production of evidence of compliance with the GDPR;
- Article 30, “Records of processing activities,” requires data processors to maintain a detailed inventory of the EU personal data they host;
- Article 32, “Security of processing,” requires data processors and their sub-processors to implement comprehensive information security controls to protect EU personal data;
- Article 33, “Notification of a personal data breach to the supervisory authority,” requires data processors to report compromises of EU personal data to their clients without undue delay; and
- Article 36, “Prior consultation,” requires data processors to provide data protection impact assessments (DPIAs) to their clients in certain high-risk situations.
Companies which engage third parties to process their EU personal data will also want to contractually establish their service levels for assisting with responses to data subject rights requests under their purview and also to provide GDPR evidence of compliance on demand.