GDPR will also require you to reconsider your relationships with suppliers, particularly those who handle data on your behalf or have access to any of the data.
Third-party data processors include email marketing platforms and CRMs, which handle a company’s data on its behalf. You and the platform are both accountable for the data. A Data Protection Agreement, or DPA, outlines both parties’ responsibilities for ensuring that data processing standards are met. If you don’t have a template, most platforms will be able to provide one.
When it comes to cloud-based services, data can be stored anywhere in the world, including multiple countries. The “Privacy Shield” is a framework developed by the United States and the European Union to assist businesses in complying with data protection regulations on both sides of the Atlantic. Joining the Privacy Shield is entirely voluntary, but once a company has enrolled, the commitment is legally binding. You can check which companies have signed up for the Privacy Shield by visiting the Privacy Shield website.
Major companies such as Facebook, Salesforce, and Dropbox are certified, but smaller businesses should double-check. Keep in mind that an increasing number of programs are cloud-based, so this could include everyday programs such as spreadsheets and text documents, in addition to cloud storage, file transfer services, and CRMs.