Who Is Processing Your Data?

From: "I-ntarsia Directions" <comms@PROTECTED>
Subject: Who Is Processing Your Data?
Date: June 8th 2018

For some time now, I have used the simple diagram on this page to illustrate what the I-ntarsia Managed Digital Service Platform is in comparison with other services.  During the recent scramble for GDPR compliance it was amusing to receive a scan of that diagram attached to an enquiry from a marketing manager. The gist of the enquiry was:

“The MD passed me copy of a diagram from your website that she’d written some notes on. I asked our digital agency and the answers they gave me were so alarming I wondered if we could talk? We’ve got a great relationship with [our agency] but want to explore if there’s potential for you to work with them?”

I’ve had to recreate/paraphrase the marked up diagram as follows:

This got me wondering just how much companies know about their digital services and how they are provided? GDPR puts a responsibility on organisations to understand all aspects of personal data control and processing. This applies either directly or via third parties. Given that so much interaction with customers is now undertaken via digital services it is crucial for organisations to have data processing agreements in place with every third party who has access to the data collected on their behalf. How can they do that if they don’t know who those third parties are?

As an example, take ABC Widgets, an organisation who uses an online website building service. Such services have allowed the organisation to self build a website and online shop that meets their needs. It’s not perfect, but it is easy to do and seems to work. To get parts of the site working (shop, enquiry system, customer area etc) they’ve used online ‘plugins’ from a number of different vendors, some are part of the builder system, many they’ve found via Google. Where do you think they stand in terms of compliance?

ABC may have had updated terms and conditions from the online build service, but does that include a specific data processing agreement? I was contacted by my online accounting system with their new GDPR privacy policy a few days before the deadline. I had to point out to them that it only covered data that they controlled, e.g. my account details. I explained that I also needed a data processing agreement with them as they were processing all of our customer data. I offered to send them one, but they delivered updated terms of service on deadline day.

What about ABC’s plugin providers? Many plugins use hosted services to provide the functionality. Purchases, quotes and enquiries can contain a mountain of personal data. Does ABC even know which countries that data is stored and processed in let alone who they should have processing agreements with? Furthermore, many of these plugins will also be hosted outside the EU, creating even more required diligence.

So much focus, by organisations, has been about ‘controlled’ data that I fear ‘processed’ data has been overlooked by many. 

We undertook a full supply chain audit to make sure that we had compliance down to the engineers at our cloud provider who can walk into the data centre and plug devices into the underlying machines. We then redrafted all of our service terms and conditions to ensure that we had compliant terms that our customers could use to satisfy their own audits. Finally, we documented it all and established a process for review and improvement. This was a major undertaking.

As the mania over GDPR subsides many organisations have relaxed and adopted a business-as-usual attitude, comfortable about the data they control. However, as the real impact of GDPR is developed in legal case law I wonder how many will regret that they didn’t spend more time looking at the data processors in their digital supply chain!

  • This mailing list is a public mailing list - anyone may join or leave, at any time.
  • This mailing list is announce-only.

I-ntarsia is a Digital Service Platform bringing the power Drupal 8 content management and ecommerce system to the widest range of digital architects, designers and corporate end users.

We use the I-ntarsia Directions list to post articles, announce new products and services as well as to make unique offers to subscribers. If you are involved with the development and operation of one or more websites then you may benefit from our announcements on this list.

Subscribers should expect no more than one mail per week as an absolute maximum from this list.

Privacy Policy:

I-ntarsia Directions is a public subscription list. As such the data held is classified as List Subscription under our Privacy Policy. List subscription data may be processed for the purposes of offering, marketing and selling relevant goods and/or services to you. The legal basis for this processing is consent.

You can view our full Privacy Policy at: https://www.i-ntarsia.com/privacy-and-cookies-policy

 Powered by I-ntarsia | © 2018 I-Next Ltd. | Site Terms and Conditions | Privacy and Cookies Policy