Data Protection Made Easy: Mastering Third-Party Relationships (Part Two) – A Deeper Dive

Join hosts Jasmine Harrison, Joe Kirk, and Phil Brining for Episode 159: Mastering Third-Party Relationships (Part Two). This is the second part of a series on the crucial topic of mastering third-party relationships with organisations in data protection. Let’s delve deeper into each point discussed:

1. Revisiting the Basics:

• The episode starts by revisiting the fundamental concept of third-party relationships in data protection. This includes understanding the difference between:
  • Joint control: When two or more organisations share control over the purpose and means of processing personal data.
  • Independent control: Where one organisation has complete control over the data processing activities.

2. Navigating International Data Transfers:

• The discussion dives into the complexities associated with transferring personal data across borders. Key points include:
  • Understanding “adequacy decisions”: These are rulings by the European Commission determining whether a non-EU country offers a level of data protection comparable to the General Data Protection Regulation (GDPR). If a country lacks adequacy, additional safeguards might be needed for data transfers.
  • Addressing organisational challenges: The episode acknowledges practical difficulties organisations face when transferring data internationally, including complying with different national regulations and implementing appropriate security measures.

3. Learning from a Real-World Case:

• The hosts share a practical case study related to third-party relationships, offering valuable insights into:
  • Potential challenges organisations might encounter in real-world scenarios.
  • The importance of considering various factors when navigating third-party relationships in practice.

4. Expanding the Scope of Third-Party Relationships:

• The episode goes beyond the typical “controller-processor” relationship, emphasising the importance of considering other crucial third parties, such as:
  • The Information Commissioner’s Office (ICO): The UK’s data protection regulator, responsible for enforcing data protection laws and potentially interacting with organisations.
  • Data Protection Consultants: Experts who provide guidance and support to organisations on navigating complex data protection issues.
  • Other Organisations: Potential collaborations with partners, vendors, or even competitors that might involve data sharing, requiring careful consideration of data protection aspects.

5. Beyond Formal Data Sharing:

• The conversation extends the understanding of third-party relationships beyond formal data sharing agreements. It acknowledges that such relationships can also involve:
  • Responding to ad-hoc data requests from regulators like the ICO, where personal details might be inadvertently disclosed.
  • Reporting a data breach, where personal details might be included even with efforts to minimise it.

Overall, this episode emphasises the importance of adopting a comprehensive view of third-party relationships when managing data protection effectively. It goes beyond the traditional controller-processor relationship, highlighting the broader ecosystem involved in handling personal data and the need for careful consideration of all aspects in this complex landscape.

Listen to Episode 159: Mastering Third-Party Relationships (Part Two) here: