EPISODE 9: How to make a GDPR risk assessment of (sub)contractors?

15 May 2018

GDPR responsibilities of all parties involved 

GDPR differentiates two parties, which can both be held responsible in the context of processing of personal data: data controllers and data processors:

  • The controller “determines the purposes and means of the processing of personal data.”
  • The processor “processes personal data on behalf of the controller.” 

Here are 2 important GDPR quotes concerning the (shared) responsibilities of the players involved:

  • ‘The controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with GDPR.’
  • Fines shall be imposed regarding “the degree of responsibility of the controller or processor taking into account technical and organizational measures implemented by them.” 

Bisnode’s risk assessment procedure for new (sub)processors 

Bisnode has set up a 2-phased procedure to screen new (sub)processors. First, we evaluate potential new partners via risk assessment, which covers:

  • Some general topics and the nature of data that are concerned.
  • Any third party involved e.g. sub-contractors of our partner.
  • Technical and organizational measures regarding:
    • Data transfer
    • Access management and authentication
    • Storage and processing of data
    • Security policies and organizational measures
    • Traceability of processing
    • Retention policy
    • Monitoring and Incident Management Process 

This risk assessment can lead to a corrective action plan before the supplier is approved. In a second phase, approved suppliers are invited to sign the Data Processing Agreement. 

360° risk assessment of data controllers and processors

Bisnode has also applied this risk assessment procedure for its existing (sub)processors. Both to evaluate potential gaps and require to address corrective measures and to comply with the documentation obligations part of accountability principle.

Of course, Bisnode customers have their own risk assessment procedures. That’s why we have been screened by many clients for whom we are processing personal data.

How Bisnode revamped its whole offering of solutions to get fully GDPR compliant? That’s the subject of episode 10.

Looks complicated? Glad to help you!

Looks complicated? Glad to help you!

Don’t worry: whenever in doubt about a GDPR data issue, do not hesitate to contact your Bisnode consultant. Getting GDPR ready? Been there! Done that! We’re ready to help and get you on your way.

Subscribe to our newsletter