Every business uses third party services one way or another. Be it your email provider (Gmail, Outlook, Bing etc.) or your delivery company (UPS, Royal Mail, etc.), your website host, your accounting or payroll software. Any organisation that processes personal data on behalf of your business needs to be recorded in your data map.
Add a third party service
Think about your business’s different functions (Accounting, Payroll, Sales, Marketing, HR, Operations, Security, Communications, Collaboration, etc.) and any third parties you use to facilitate them. If they utilise any personal data, you need to record them here.
Work through this systematically. Use the filters at the top to work through the third parties by category.
Identify the key functions of your business and invite the individuals responsible for them. Get them to list all the services they use for each of their functions and then add them in here.
Add a custom third party
If you can’t find the third party company you are looking for in the list, you can add your own by clicking the “Add custom” button underneath.
For third parties already recorded in PORT.im, we have done a lot of the legwork for you. However, when you create a custom third party processor, you will need to answer a few more questions to document the third party accurately.
What is their name?
This question refers to the name of the third party. The name doesn't need to be the legal entity name; it can be just the common brand name of the service.
Have you performed an assessment of their data protection practices?
It is best practice to assess the third party provider’s data protection practices, but it is by no means essential. Where special category data or high-risk processing occurs, it is strongly recommended that you make an assessment.
Do you have a data processing agreement in place?
A data processing agreement is quite simply an agreement between two parties about how data will be processed. Data processing agreements provide additional assurances and may be required where transferring data outside of your jurisdiction.
The regulator does not mandate data processing agreements. However, other regulated ecosystems such as Google Play Store and Apple App Store will require data processing agreements to be in place.
Do you have a copy of the data processing agreement?
If you do have a data processing agreement, you can upload a copy here for safekeeping. Uploading data processing agreements will also improve your PORT.im Privacy Score.
Does data transfer outside the UK and the European Economic Area (EEA)?
The GDPR restricts the transfer of data to third countries unless sufficient safeguards are in place. The GDPR protects transfers within the EEA.
The EU countries are Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden.
The EEA includes EU countries and also Iceland, Liechtenstein and Norway.
When dealing with international businesses, in general, they will process your data in the country in which they are based. However, some companies offer “data ring-fencing” or local server options, which you may utilise where special category or high-risk data processes are in place. You may need to check with your service provider for more details about this.
What safeguards will protect the data?
Appropriate safeguards are measures taken by a data controller or data processor to enable cross-border data transfers to be made to a third country or an international organisation.
The ideal situation is to be transferring data to a country with an ‘adequacy decision’ given by the authorities in which your business processes data. Having an ‘adequacy decision’ means you can rely on legal safeguards already in place between your country and the country in question.
Until recently, organisations could make international transfers of data to the United States under the Privacy Shield arrangement between the EU and the US. However, Privacy Shield is currently invalid due to a reassessment of the agreement by the EU.
What safeguards will protect the data?
Where transfers cannot rely on adequacy decisions by the government, then appropriate safeguards are usually used. The most common of these are Standard Contractual Clauses (SCC’s), also known as Binding Corporate Laws. Standard Contractual Clauses are contractual promises made by the services provider that recognise individuals’ data rights based on your jurisdiction regulations.
Incomplete third parties (Orange)
Services with a green dot next to them indicate their records are complete. An orange dot indicates that your records for this item are incomplete. Once all your services are “green”, you can move on to the next step.