adequacy decision data protection data sharing GDPR ICO international transfers Third-Party Relationships

Episode 159: Mastering Third-Party Relationships (Part Two)

Joe Kirk, Jasmine Harrison, Philip Brining

Episode 159 Mastering Third-Party Relationships (Part Two)

Data Protection Made Easy: Mastering Third-Party Relationships (Part Two) – A Deeper Dive

Join hosts¬†Jasmine Harrison, Joe Kirk, and Phil Brining for Episode 159: Mastering Third-Party Relationships (Part Two). This is the second part of a series on the crucial topic of mastering third-party relationships with organisations in data protection. Let’s delve deeper into each point discussed:

1. Revisiting the Basics:

  • The episode starts by revisiting the fundamental concept of third-party relationships in data protection. This includes understanding the difference between:
    • Joint control: When two or more organisations share control over the purpose and means of processing personal data.
    • Independent control: Where one organisation has complete control over the data processing activities.

2. Navigating International Data Transfers:

  • The discussion dives into the complexities associated with transferring personal data across borders. Key points include:
    • Understanding “adequacy decisions”: These are rulings by the European Commission determining whether a non-EU country offers a level of data protection comparable to the General Data Protection Regulation (GDPR). If a country lacks adequacy, additional safeguards might be needed for data transfers.
    • Addressing organisational challenges: The episode acknowledges practical difficulties organisations face when transferring data internationally, including complying with different national regulations and implementing appropriate security measures.

3. Learning from a Real-World Case:

  • The hosts share a practical case study related to third-party relationships, offering valuable insights into:
    • Potential challenges organisations might encounter in real-world scenarios.
    • The importance of considering various factors when navigating third-party relationships in practice.

4. Expanding the Scope of Third-Party Relationships:

  • The episode goes beyond the typical “controller-processor” relationship, emphasising the importance of considering other crucial third parties, such as:
    • The Information Commissioner’s Office (ICO): The UK’s data protection regulator, responsible for enforcing data protection laws and potentially interacting with organisations.
    • Data Protection Consultants: Experts who provide guidance and support to organisations on navigating complex data protection issues.
    • Other Organisations:¬†Potential collaborations with partners, vendors, or even competitors that might involve data sharing, requiring careful consideration of data protection aspects.

5. Beyond Formal Data Sharing:

  • The conversation extends the understanding of third-party relationships beyond formal data sharing agreements. It acknowledges that such relationships can also involve:
    • Responding to ad-hoc data requests from regulators like the ICO, where personal details might be inadvertently disclosed.
    • Reporting a data breach, where personal details might be included even with efforts to minimise it.

Overall, this episode emphasises the importance of adopting a comprehensive view of third-party relationships when managing data protection effectively. It goes beyond the traditional controller-processor relationship, highlighting the broader ecosystem involved in handling personal data and the need for careful consideration of all aspects in this complex landscape.

Listen to Episode 159: Mastering Third-Party Relationships (Part Two) here: