You feel like a rock star. You found the right person at the right company. You found a data provider to give you the right email address, phone number, and mailing address. You’re ready to send that magical email, mail that flyer or gift card, and make that personal connection with your perfectly rehearsed phone call.

But are you sure that the information you have on that person is GDPR compliant? If not, you may want to check out my previous GDPR blogs, Getting Data Privacy Ready and Third Party Vendors, to find out how you can make sure your data is good to go.

This week’s blog will focus on compliance from the aspects of responsibility, security and transparency, and how you can make sure that the data from your third party vendors is GDPR compliant.

Responsibility: How much are you responsible for your third-party vendors?

You are 100% responsible for making sure your third-party data vendors are compliant with GDPR and other government regulations. You want to make sure that you are not putting your company’s reputation into the hands of a poorly run data vendor who could expose you to significant financial penalties because of non-compliant data. “Third parties are often the weakest link in a company’s data security, and are implicated in about 63% of all data breaches” (Aravo). Take a look at what experts are saying about GDPR responsibility:

While you are working diligently to help ensure your own organization is compliant with GDPR, your organization is explicitly responsible for the readiness and conduct of the third parties that store or process your EU citizen’s personal information” – James Christiansen, Infosecurity.

“Under the GDPR and other regulation, not only do you need to keep your own house in order – you need to be confident in compliance of your third parties’ houses as well” – Anna Mazzone, Aravo.

Security: Is the data secure with the third-party?

It is always a good idea to ask your data vendors questions about their privacy policies to make sure they are compliant with data protection laws. However, verifying the data is secure at rest and in transit is equally as important. Data at rest is data that is not actively moving from device to device or network to network, and is stored or archived in some way such as on a laptop, hard drive, or flash drive. Data in transit is data that is actively moving from one location to another such as across the internet or through a private network. When it comes to the security of Personally identifiable information (PII), protection for data at rest aims to secure inactive data that is stored, while protection for data in transit aims to secure active data as it travels from one place to another. Even though data in transit tends to be more vulnerable than data at rest because it is less secure when moving, the security of data at rest should not be ignored as attackers tend to find it more valuable. The best way to protect both types of data is through encryption as well as having up to date policies and procedures in place in case there is a data breach.

Transparency: Do I have a process to make any persons “be forgotten”?

How do you establish an effective process to work with your vendors to delete the data you are responsible for deleting? Are your third-party vendors transparent when it comes to informing you about their procedure for deleting Personally identifiable information (PII) when requested?

It all begins with a phone call to your third-party vendor.

First, consider all copies of PII. An email to a third party vendor containing the PII of a person requesting to be forgotten could store a copy of the PII in your email “Sent” folder, and on the third party’s email “Inbox” on the email servers. This could become a big problem if your marketing or sales team installs an application that searches all emails sent by anyone in the company (and as you know, emails cannot “self-destruct”). A lot to consider, but having a good process is the key.

Test Your Organization and Vendors

Performing a simple test to confirm your organization and vendors are compliant can go a long way in ensuring you don’t end up with a hefty fine. Once you have the name of the person you wish to remove from your database, go ahead and delete their PII from at least all 5 of the following systems:

  • Customer Relationship Management System (CRM)
  • Marketing Automation System (MAS)
  • Email list
  • Third-party data vendor
  • ERP or other financial systems

Completing this test will confirm that your data is being properly removed the way you want it to.

Where to find help?

Technologies, like RingLead Data Management Solutions (DMS), are now available to help companies comply with privacy laws by only providing verified contact information when adding and enriching sales or marketing leads. You just need to make sure you have the right technologies in place to be successful.

My next blog on GDPR, Getting Help From Your Vendors, will guide you understanding how your third-party vendors can assist in GDPR compliance.

Next Blog: Email me to be updated on my next blog

Inspired by “Getting in Front of Data” written by Thomas C. Redman PhD


“Top Thoughts For GDPR Compliance”, Infosecurity

“The EU GDPR and Third-Party Risk”, Aravo

Leave a Reply