As many of you may have now read, with the emergence of GDPR, it means there are a new set of responsibilities on the data controller + the data processor.

Gone are the times that companies can go back and forth blaming third party processors for their relaxed data policies and third-party processors can take zero responsibility for breaches. It is now the responsibility of the data controller to make sure that if they are handing over personal data to third parties, there should be a contract in place to place the onus of compliance on the third party and a promise of compliance from the controller. If a breach takes place, you as a company want to make sure that you have done everything possible to protect that data regardless of whether you are a data processor or controller.

I know what you are thinking, and if you are anything like us having separate contracts, with every single company you pass personal data on to would take ages to construct and be highly expensive. That’s why companies like Microsoft’s commitments to privacy are so important. By the 25th May, huge companies such as Dropbox, Xero and Google should all have commitments to compliance so that us as data controllers don’t need to contractually commit them individually.

So, what is Microsoft’s commitment?

Microsoft have made a public commitment to privacy, security, compliance and transparency. They are making contractual commitments that “provide key GDPR-related assurances” about there services. These contractual commitments guarantee…

• Respond to requests to correct, amend or delete personal data.
• Detect and report personal data breaches.
• Demonstrate your compliance with the GDPR.

Microsoft is the first global cloud services provider to publicly offer you these contractual commitments. They have also created a whole host of resources to make sure that you are compliant and covering your back with third party agreements and data usage in general- www.microsoft.com/GDPR.

It is important for you as a data controller to find out what rights and responsibilities you have when possessing and using personal data. It is also important, when sharing that data that the companies you are sending it to have similar commitments to Microsoft. You will find that a lot of companies like Dropbox say that they are not currently compliant but will be compliant by the 25th May so just make sure you check up and ensure that companies such as that keep their promise.

For those smaller companies who may not create such a commitment, we recommend that you seek legal advice on how you can integrate a data privacy policy into third party contracts. That way, any external breaches are on them not on you and they have a responsibility to report the breach.

For more information on GDPR, read our series of GDPR blogs or come to one of our seminars! See upcoming dates here.

 

Lucidica is the IT support team for London businesses