adequacy decision data protection data sharing GDPR ICO international transfers Third-Party Relationships
Episode 159: Mastering Third-Party Relationships (Part Two)
Joe Kirk, Jasmine Harrison, Philip Brining
Data Protection Made Easy: Mastering Third-Party Relationships (Part Two) – A Deeper Dive
Join hosts Jasmine Harrison, Joe Kirk, and Phil Brining for Episode 159: Mastering Third-Party Relationships (Part Two). This is the second part of a series on the crucial topic of mastering third-party relationships with organisations in data protection. Let’s delve deeper into each point discussed:
1. Revisiting the Basics:
- The episode starts by revisiting the fundamental concept of third-party relationships in data protection. This includes understanding the difference between:
- Joint control: When two or more organisations share control over the purpose and means of processing personal data.
- Independent control: Where one organisation has complete control over the data processing activities.
2. Navigating International Data Transfers:
- The discussion dives into the complexities associated with transferring personal data across borders. Key points include:
- Understanding “adequacy decisions”: These are rulings by the European Commission determining whether a non-EU country offers a level of data protection comparable to the General Data Protection Regulation (GDPR). If a country lacks adequacy, additional safeguards might be needed for data transfers.
- Addressing organisational challenges: The episode acknowledges practical difficulties organisations face when transferring data internationally, including complying with different national regulations and implementing appropriate security measures.
3. Learning from a Real-World Case:
- The hosts share a practical case study related to third-party relationships, offering valuable insights into:
- Potential challenges organisations might encounter in real-world scenarios.
- The importance of considering various factors when navigating third-party relationships in practice.
4. Expanding the Scope of Third-Party Relationships:
- The episode goes beyond the typical “controller-processor” relationship, emphasising the importance of considering other crucial third parties, such as:
- The Information Commissioner’s Office (ICO): The UK’s data protection regulator, responsible for enforcing data protection laws and potentially interacting with organisations.
- Data Protection Consultants: Experts who provide guidance and support to organisations on navigating complex data protection issues.
- Other Organisations: Potential collaborations with partners, vendors, or even competitors that might involve data sharing, requiring careful consideration of data protection aspects.
5. Beyond Formal Data Sharing:
- The conversation extends the understanding of third-party relationships beyond formal data sharing agreements. It acknowledges that such relationships can also involve:
- Responding to ad-hoc data requests from regulators like the ICO, where personal details might be inadvertently disclosed.
- Reporting a data breach, where personal details might be included even with efforts to minimise it.
Overall, this episode emphasises the importance of adopting a comprehensive view of third-party relationships when managing data protection effectively. It goes beyond the traditional controller-processor relationship, highlighting the broader ecosystem involved in handling personal data and the need for careful consideration of all aspects in this complex landscape.
Listen to Episode 159: Mastering Third-Party Relationships (Part Two) here: