The GDPR and sharing data with Third Parties
How the Third Parties you use are affected by the GDPR
For the purposes of the GDPR, third parties are anyone whom you share your customers' personal data with, for any reason.
Typically this will be a company from one of these categories:
- A payment provider, like PayPal, Stripe, Braintree or Sagepay
- A courier company, like DHL, DPD, MyHermes or Parcelforce
- A mailing list provider, like MailChimp
- Suppliers, often if they are shipping straight to your customer
- Accountants, if you give them a full copy of your accounts each year
- Suppliers of CRM software, such as SalesForce
In the language of the GDPR third parties are "processors" of your data, whereas you are the "controller" and the GDPR stipulates:
"Whenever a controller uses a processor it needs to have a written contract in place."
Consequently, you are highly encouraged to approach each of the third parties you routinely share customer data with and ask for a copy of the contract or agreement in effect between you.
These contracts need to cover some specific topics regarding data sharing, and these are covered in detail here.
If you are comfortable that these agreements/contracts cover:
- the duration of the processing;
- the nature of the processing;
- that a duty of confidence is in place;
- and that your "processors" understand that nothing within the contract relieves the processor of its own direct responsibilities and liabilities under the GDPR
- then print each contract and file it away in case of an audit. If you cannot be sure that the contract covers everything specified by the GDPR then you can speak to the ICO helpline or seek legal advice.
Third parties and Privacy Policies
As above, if you share customer information with any third parties for any purpose, you must make it clear who you are sharing the data with, and why, before you collect that information from your customer.
If the sharing is unnecessary to the main service you provide, they must be offered the option to consent to this sharing. It should not be assumed by default.
The vast majority of websites make use of software that tracks their visitors to provide overall information about trends and website usage. In the vast majority of cases, these do not collect personally identifiable data about your visitors, so they are exempt from consideration by the GDPR.
However, it is entirely possible to circumvent this general rule by passing the analytics software some personal data you collect, such as an email address or any other customer identifier. At this point, they would have to be treated like any other third party.