Navigating the Bermuda Triangle of Third-Party Data…
How to avoid confusion, close calls and c*ck-ups!
The dangers of the Bermuda Triangle are well documented – just ask Barry Manilow!
And although we’ve not heard from him or any of his Fanilows recently, we have been talking to customers concerned about a GDPR Bermuda Triangle that’s much closer to home and causing plenty of confusion amongst data controllers, data processors and data brokers…
It’s all around third-party data.
We touched on this in a previous blog from a data controller’s perspective (and the importance of having a detailed contract in place with data processors) so, this time, we’re giving a broader overview of how it all fits together and what to look out for when third-party data is concerned!
The difference between first-, second- and third-party data
To truly understand third-party data, it’s first worth recognising how it relates to and differs from the other data sources in the chain.
First-party data: this is information that you (as the controller) have collected directly from your own customers (with their consent, of course!).
Second-party data: described (somewhat curiously) as a ‘sub-type of third-party data’, this is someone else’s first-party data that you (as a processor) have permission to use (e.g. as part of a limited agreement between two brands). In effect, it’s first-party data that’s legitimately been provided by another source.
Third-party data: this type of data doesn’t typically come from a single source, but instead tends to be a consolidation of both personal and non-personal data that’s been scraped or bought from various sources and other licensed third parties (e.g. having previously been collected directly from individuals or public registers). However, even though it’s often used for data analysis and targeted marketing purposes, it’s not always acquired legitimately!
A real-life example
We know that getting your head around the GDPR isn’t always easy so here’s a real-life example of how this triangle of first-, second- and third-party data go together.
Think of a big energy provider. They’ll have plenty of customers that they supply gas or electricity to and, as the data controller, will have collected and stored those customers’ personal details. This would be first-party data.
Now even though data controllers are also data processors (because they also ‘process’ that information), many opt to outsource it. So, let’s imagine in this case that the energy company outsources its processing to a market research company – so that they then handle their customer information. This would be second-party data.
Then, because it’s a business, the energy company wants to grow its customer base to bring in more sales and so also asks the market research company to target the customers of one of their competitors. They do this by buying in data lists from a broker (or appointing one to do that for them). Additionally, they also decide to bring in more potential customers by conducting random surveys (e.g. either online or via street polls/door-to-door cold-calling) and scraping data from elsewhere. They may even decide to buy additional data lists. All of these would be third-party data.
Other common examples would be a company (data controller) outsourcing its payroll or bookkeeping to an independent accountancy firm, or its marketing to a communications agency.
Bringing it all together: key points to remember
There’s a lot to remember where third-party data is concerned, so here are some key pointers to help ensure you’re going in with your eyes open…
If you’re a Data Controller:
- Reputation is everything!
Being a Data Controller demands huge responsibility as well as accountability. As such, total GDPR compliance is a must. Fail in your compliance responsibilities and not only could you suffer substantial financial penalties but even greater damage to your business reputation – particularly if your customers lose confidence in your ability to take data protection seriously.
- Know everything and communicate everything!
If you’re a Data Controller, the buck stops with you, so you need to be in control! That means knowing everything there is to know about your supply chain and particularly any third-party processors or brokers that you use.
Remember: you’re only as strong as your weakest link! Therefore, every decision you make should be an informed one – and, if you have any doubts about the way you’re doing things, then it’s great practice to carry out your own DPIA (Data Protection Impact Assessment). (In fact, if you want to know how to get started with these types of data risk assessments, we’re running a free DPIA webinar on Friday 19th July.)
Similarly, you also need to be open and transparent in what you communicate. At its most basic, that means only passing on your customers’ data (e.g. to a processor or any other third-party) with their explicit consent, as well as clearly outlining everything that will happen to their data in doing so.
- Contract? Er, what contract?
Contracts have been around for centuries and for good reason – they (should) protect both parties. So, having a GDPR one between you and your third-party processors to outline and clarify responsibilities makes a lot of sense.
If you’re a Data Processor:
- Oh, that contract!
And in the same way that it’s wise to have a contract between you and the data controller, it’s also worth having a separate contract to cover your relationship with other third parties that you use, particularly brokers (and carrying out your own diligence and seeking assurances in the process).
- Make sure your rights are right!
Hopefully, this will be correctly identified in the contracts that you have set up. Nonetheless, people unwittingly still make some basic errors.
For example, a design agency that’s built the data controller’s website and ends up processing all of the customer data that gets submitted through its contact and subscriber pages; except that, unfortunately, the owner and admin rights that should have been with the controller from the outset were never transferred.
Another example involves platforms like Dropbox where information can be shared between the controller and processor and/or other third parties. Again, the admin rights need to be with the top of the chain – i.e. the controller.
- Step up by staying a step ahead…
GDPR life is so much easier when you know what you’re doing. That includes knowing that the data you process is secure (and the controller being assured of that too), and that it will be safely deleted or disposed of once it’s no longer required and/or your relationship with the data controller has ended.
And if there’s a data breach – even though it’s with your system – not only knowing that you need to notify the controller asap but also knowing that it’s the controller who must then notify the ICO…
If you’re a Third-Party Data Broker:
- Know the rules and play by them…
A common misperception is just because people’s information can be found in public domains, it’s free to use and process. Of course, it isn’t. If you source data this way then you still need to notify those people whose information you’ve gleaned, obtain their consent and be up front about what you plan to do with that data (like sell it on).
- Recognise when someone else has flouted the rules…
Compliance is probably once of the most often-used words in the GDPR so ensure that whatever information you end up acquiring has been sourced and obtained legitimately. Quite simply, know what you’re buying or else walk away.
Need to send a GDPR SOS? Get in touch!
If all this third-party stuff still has you completely at sea, don’t despair – there’s hope on the horizon! Just email our Rescue Hotline and we’ll have you shipshape in no time.
Why? Because we know our subject matter, no matter how dry others may find it. And that’s got to be a good thing – ‘cos in our world (wait for it…), ‘square’ beats triangle every time! 😉
Until next time...