Boxcryptor’s GDPR Journey Part 4: Dealing with Third Party Providers
Since May 25th 2018 the new General Data Protection (GDPR) applies for Boxcryptor and all companies, processing any personal data of EU citizens. This new provision of the European Union is fundamentally reshaping how personal data is processed within the EU. The amendment is demanding far-ranging changes and re-structuring of the companies. Surveys show that the GDPR is striking fear in many companies affected by this regulation.
We, at Boxcryptor decided to perceive the GDPR as a chance, rather than a threat. Therefore, Boxcryptor CEO Andrea Pfundmeier is going to report how the new GDPR is implemented and applied at Boxcryptor, in a multi-part series of articles.
Read the other parts of the series here:
Part 1 – Getting an overview (Steps 1-4)
Part 2 – Optimization of existing processes (Steps 5-8)
Part 3 – Internal implementation and external data protection officers
Part 5 – Encryption
Part 6 – Before GDPR is past GDPR
Step 9: Review of Third Party Providers
Third party providers are companies and services we depend on to manage our business. In the framework of the new GDPR, the term applies to all providers processing personal data on our account. Here are some examples:
- Mailchimp – email newsletter distribution
- Onapply – web-based job application processing
- Salesforce – invoicing and customer retention management
- Dropbox – storage of company data
As described in step 2 (documenting processes) I have already compiled a complete list of third party services. Now every one of them has to be checked for GDPR compliance.
For this reason, I did conducted research on the providers’ websites for information on the status of their GDPR-compliance measures. Some companies have been assiduously and are already providing extensive information on that matter, e.g. Mailchimp’s GDPR information page.
For the companies I was able to find all necessary information, I added a checkmark on my list. In all other cases I contacted the respective company and asked for a statement, following these questions:
- What is the current status of GDPR implementation?
- When will GDPR compliance be achieved?
- When will the company be able to send me the respective documents?
In some cases, the companies responded quite extensively, in others I simply got redirected to the law department or received a date, GDPR compliance is supposed to be achieved. The answers were put on my list and I created templates for further requests so I will not lose track in the future.
Third Party Providers and the External Data Protection Officer
In part 3 of our GDPR article series I also mentioned the installment of an external data protection officer (DPO) – despite being not legally obligated to do so. But as CEO, I am factually not allowed (by law) to take on this position. Furthermore, none of our employees has enough capacities to take on this responsibility. In addition, the necessary initial and following trainings would probably cause a collapse of our current start-up structures. I furthermore consider the fact that internal DPOs are nonredeemable - an interesting information for some employers.
Supervision of service providers and the implementation of guidelines for commissioned data processing are part of the DPO’s work. In recruiting a DPO for our company, industry knowledge was a crucial criterion for me. For us, as an IT company it is essential that our service providers know our internal processes and the tools we are working with. Further I need partners who are open-minded towards future innovations.
Apart from that I consciously choose a regional DPO, to keep personal contact as simple as possible. Short distances for trainings and other appointments are really important to me – as is mutual trust. To see whether this may develop throughout our collaboration, we agreed to a one-year contract duration, initially.
As it applies to many topics, having conversations with other entrepreneurs and exchanging experiences about external DPOs proves to be rather successful. By doing so, you will certainly receive valuable references.