GDPR and Disclosure of 3rd Parties
GDPR – DISCLOSING WHICH THIRD PARTIES YOUR BUSINESSES USES
GDPR is all about transparency and fairness and designed to
- create enhanced rights for individuals (data subjects) and
- increase accountability for those organisations who control and process data
Protecting data is vital within your business; breaches will mean not only a failure to comply with legislation but they also have professional ramifications and an adverse impact on your relationship with your client/customers and those with whom you work. Once your reputation in business is damaged then it’s bound to have a negative impact on your profits too.
- who you are (name and contact details of the person appointed as a data protection officer or responsible for data protection) and
- why you are collecting and generally processing personal data and
- who you are going to share it with.
This means naming the third parties with whom you share data. So, for example, if you use MailChimp to engage with your customers/clients then you must include them, by name, in the list of organisations you share data with. You also need to check that they’re GDPR compliant, which is another blog in its’ own right.
The problem is that as a business you will have worked hard to source suppliers and other third parties that help make your business great. You’re probably quite happy telling your customers/clients about them. However, if you’re honest, there will probably be a part of you that resents sharing this information with some others – say, for example, your competitors. The problem, you may feel, is that once it’s visible on your website, it’s there for those whom you want to see as well as those who you prefer don’t.
Can you avoid naming 3rd parties under GDPR?
It depends. Guidance from the Article 29 Working Party says that you should name third parties with whom you share data unless you can demonstrate that it’s fair to provide only details about the categories of third parties rather than their names. So, for example, instead of naming MailChimp you could state that you share data with marketing partners (you must provide some more detail about each category too).
When is it fair not to name the third parties with whom you share data under GDPR?
“Commercial interest” (such as “I don’t want my competitors to know”) is most unlikely to be a fair reason for non-disclosure. If, for example,
- your third parties are constantly changing AND
- you keep a list of them AND
- you make it clear that data subjects can ask you for a copy of that list
then you may be okay. There is no guidance on what’s fair, so nobody will tell you that changing your suppliers every week is acceptable. It’s part common sense and part fairness.
Half-way house to naming 3rd parties under GDPR?
For some businesses, a “half-way house” option may be worth considering. This way you can
- provide the names of some third parties who are regulars, for example, IT maintenance, because you have a 3-year contract with them and
- use categories for others, such as your marketing partners if your organisation is constantly chopping and changing third-party suppliers to do this
Remember though that you must make sure that
- you hold an up-to-date list of all the third parties (adding and deleting as they change) with whom you share data AND
- you tell data subjects who to contact to get an updated list of those third parties AND
- you supply that up-to-date list of third parties with whom you share data when asked.
If you’d like a free clause which you can adapt to use name some supplier but provide categories for others please let us know by emailing firstname.lastname@example.org
About The LH Group
Call us on 01244 300413 or email email@example.com
We help businesses comply with their legal obligations – GDPR, HR, IT Security, Business Consultancy – Insured, professional, qualified, experienced help.