What services do you use? (Third parties)

Every business uses third party services one way or another. Be it your email provider (Gmail, Outlook, Bing etc.) or your delivery company (UPS, Royal Mail, etc.), your website host, your accounting or payroll software. Any organisation that processes personal data on behalf of your business needs to be recorded in your data map. 

Screen_Shot_2021-03-02_at_08.42.58.pngScreen_Shot_2021-03-02_at_08.43.29.png

Add a third party service

Think about your business’s different functions (Accounting, Payroll, Sales, Marketing, HR, Operations, Security, Communications, Collaboration, etc.) and any third parties you use to facilitate them. If they utilise any personal data, you need to record them here.

Screen_Shot_2021-03-02_at_08.52.45.png

TOP TIP

Work through this systematically. Use the filters at the top to work through the third parties by category.

Identify the key functions of your business and invite the individuals responsible for them. Get them to list all the services they use for each of their functions and then add them in here.  

Screen_Shot_2021-03-02_at_08.52.33.png

Add a custom third party

If you can’t find the third party company you are looking for in the list, you can add your own by clicking the “Add custom” button underneath.

Screen_Shot_2021-03-02_at_08.52.00.png

For third parties already recorded in PORT.im, we have done a lot of the legwork for you. However, when you create a custom third party processor, you will need to answer a few more questions to document the third party accurately.

Screen_Shot_2021-03-02_at_09.42.14.png

What is their name?

This question refers to the name of the third party. The name doesn't need to be the legal entity name; it can be just the common brand name of the service. 

Screen_Shot_2021-03-02_at_09.41.00.png

Have you performed an assessment of their data protection practices?

It is best practice to assess the third party provider’s data protection practices, but it is by no means essential. Where special category data or high-risk processing occurs, it is strongly recommended that you make an assessment.

Screen_Shot_2021-03-02_at_09.41.13.png

Do you have a data processing agreement in place?

A data processing agreement is quite simply an agreement between two parties about how data will be processed. Data processing agreements provide additional assurances and may be required where transferring data outside of your jurisdiction.

The regulator does not mandate data processing agreements. However, other regulated ecosystems such as Google Play Store and Apple App Store will require data processing agreements to be in place.

Screen_Shot_2021-03-02_at_10.01.14.png

Do you have a copy of the data processing agreement?

If you do have a data processing agreement, you can upload a copy here for safekeeping. Uploading data processing agreements will also improve your PORT.im Privacy Score. 

Screen_Shot_2021-03-02_at_10.00.59.png

Does data transfer outside the UK and the European Economic Area (EEA)?

The GDPR restricts the transfer of data to third countries unless sufficient safeguards are in place. The GDPR protects transfers within the EEA.

The EU countries are Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden.

The EEA includes EU countries and also Iceland, Liechtenstein and Norway.

TOP TIP

When dealing with international businesses, in general, they will process your data in the country in which they are based. However, some companies offer “data ring-fencing” or local server options, which you may utilise where special category or high-risk data processes are in place. You may need to check with your service provider for more details about this.  

Screen_Shot_2021-03-02_at_10.02.07.png

What safeguards will protect the data?

Appropriate safeguards are measures taken by a data controller or data processor to enable cross-border data transfers to be made to a third country or an international organisation.

The ideal situation is to be transferring data to a country with an ‘adequacy decision’ given by the authorities in which your business processes data. Having an ‘adequacy decision’ means you can rely on legal safeguards already in place between your country and the country in question.

Until recently, organisations could make international transfers of data to the United States under the Privacy Shield arrangement between the EU and the US. However, Privacy Shield is currently invalid due to a reassessment of the agreement by the EU.

Screen_Shot_2021-03-02_at_10.29.37.png

What safeguards will protect the data?

Where transfers cannot rely on adequacy decisions by the government, then appropriate safeguards are usually used. The most common of these are Standard Contractual Clauses (SCC’s), also known as Binding Corporate Laws. Standard Contractual Clauses are contractual promises made by the services provider that recognise individuals’ data rights based on your jurisdiction regulations.

Screen_Shot_2021-03-02_at_10.44.41.png 

Incomplete third parties (Orange)

Services with a green dot next to them indicate their records are complete. An orange dot indicates that your records for this item are incomplete. Once all your services are “green”, you can move on to the next step. 

Screen_Shot_2021-03-02_at_10.47.20.png