Practice development

STEP 9 – 3rd party contracts

This section of the Workbook deals with issues arising from the placement of personal data under your control with 3rd parties. For example, subcontractors and software vendors where your data is held in the cloud.

No short cuts here

Without confirmation that these 3rd parties are GDPR compliant it would appear that lapses in their security arrangements then become your problem.

The last three sections of this page provide details of the sorts of terms that should be included in contracts, whether you are the Controller or Processor in the arrangement.

Resources in the support portal

You should also read the guide (step 9) set out in the “12-Steps” section of the support portal. You can also download a “Draft request to send to 3rd parties” that you can adapt (see the Templates and Downloads section of the support portal).

Practical issues

For me, the major issue is chasing up software vendors. Once you are confident of the terms you need to agree with 3rd parties, you will need to be persistent to secure their confirmation that contracts in place confirm GDPR compliance.

Leave a Reply

Your email address will not be published. Required fields are marked *