Third-party data providers are the goliaths of the data World.
The data provided by these Data Aggregators play a critical role in audience targeting and audience extension and due to their sheer volume, it is great for demographic, behavioral, and contextual targeting.
With their help, B2B marketers can discover new leads and gain intel on current leads by making use of their industry-specific data service. This provides deep insights and real-time alerts on potential buyers. Without them, B2B enterprises will find it extremely challenging to build and maintain up-to-date and accurate customer database lists.
GDPR compliance has added to this challenge. Under this, all organizations must acquire clear permissions that are ‘freely given, specific, informed, and unambiguous’ in order to have their personal data processed. This applies to the leads owned by the marketer as well as third-party lead vendors.
For this reason, it is of paramount importance that B2B marketing teams put in place plans that ensure all third-party vendors; media partners, publishers and lead vendors, collect prospect data in a GDPR-compliant manner. Companies are responsible for the readiness and conduct of the third parties they use to process personal data of EU citizens.
In order to ensure GDPR compliance by third-party data providers:
1. Make certain that higher management is aware of the GDPR challenges
GDPR is a significant improvement to the data protection law that used to be in place which means you will need to improve business strategies in order to meet compliance requirements. Once the key leaders of your company are made aware of the obligations, they will be able to put in place a framework that supports the team.
2. Conduct a company-wide information audit
If your organization controls and is responsible for the maintaining and use of personal information then you are a data controller. Under GDPR, you are responsible for how a third party data processor handles personal data and the way to do this is through an information audit. This can be done with the help of the 5W review for you and your third parties.
- What personal data is controlled by your company?
- Where is it stored?
- Why is it being processed?
- When will the data be used?
- Who will have access to it?
3. Sensitive data access must be restricted
Only specific information is needed by third parties to get their job done. Through carefully controlling access to personal data, you can eliminate unnecessary risks. But when access is needed to the restricted data, make sure that GDPR obligations are clearly defined for both parties.
4. Evaluate third parties for GDPR risk
- You are responsible for the GDPR compliance of your third-party processors. To ensure this:
- Assess their GDPR compliancy progress through the help of questionnaires you send out to them
- Once you review their questionnaire responses, set up controls based on the risks they pose
- Take remedial actions to fill gaps in their GDPR preparedness and monitor the third party until they become fully GDPR compliant
- Periodically perform reassessments to ensure ongoing compliance
5. Document all data processing activities
As the data controller, you need to keep records of all data processing activities to be GDPR compliant. This includes the supervision of third parties and the recordkeeping of their own. Third parties need to meticulously document all their activities as supervising authorities will expect you to produce it on-demand.
6. Don’t keep data for longer than required
Any data collected under GDPR needs to have a legitimate purpose and must not be held indefinitely. Personal data should be stored for the duration it takes to accomplish the purpose you had collected it for which goes for third parties as well.
7. Consider appointing a Data Protection Officer (DPO)
In order to oversee data protection compliance, some, not all, organizations are required to appoint a Data Protection Officer. These officers are critical advisers with expertise and insight in keeping sensitive information secure.
8. Inspect your legal consents
Gaining consent is the best practice under GDPR before you process any personal data. To make sure you are gathering and using personal information that is in line with GDPR’s strengthened guidelines, conduct double-checks on your policies and the third party policies.
Kory Willis, senior director of IT at Impartner, a SaaS channel management solution states that it is vital that vendors are closely managed in order to stay compliant. According to him, it all comes down to vendor management as the data controller is just as liable as the data processor. It is prudent that the controller ensures that the data processors are consistent with GDPR.
The data processing agreements have been updated by any third-party data vendors who have also added GDPR sections to their websites. Some even have checklists for customers and updates on their method of compliance.
As a data controller, you can talk to your third-party partners and take a fresh look at old vendors but always make sure to thoroughly vet new ones as well. Check the certifications they have and how verbal they’ve been about their intention to be GDPR compliant. Since compliance means being able to collect and even delete user data, make sure they possess the tools to do so. Remember that you and your third-party data processor are in it together and so maintaining a good working relationship will help you collaborate and find solutions that will work.