The GDPR and sharing data with Third Parties
Please note this information is now out of date - please refer to the ICO for up-to-date GDPR information.
How the Third Parties you use are affected by the GDPR
For the purposes of the GDPR, third parties are anyone whom you share your customers' personal data with, for any reason.
Typically this will be a company from one of these categories:
- A payment provider, like PayPal, Stripe, Braintree or Sagepay
- A courier company, like DHL, DPD, MyHermes or Parcelforce
- A mailing list provider, like MailChimp
- Suppliers, often if they are shipping straight to your customer
- Accountants, if you give them a full copy of your accounts each year
- Suppliers of CRM software, such as SalesForce
- Sub-contractors
In the language of the GDPR third parties are "processors" of your data, whereas you are the "controller" and the GDPR stipulates:
"Whenever a controller uses a processor it needs to have a written contract in place."
Consequently, you are highly encouraged to approach each of the third parties you routinely share customer data with and ask for a copy of the contract or agreement in effect between you.
These contracts need to cover some specific topics regarding data sharing, and these are covered in detail here.
If you are comfortable that these agreements/contracts cover:
- the duration of the processing;
- the nature of the processing;
- that a duty of confidence is in place;
- and that your "processors" understand that nothing within the contract relieves the processor of its own direct responsibilities and liabilities under the GDPR
- then print each contract and file it away in case of an audit. If you cannot be sure that the contract covers everything specified by the GDPR then you can speak to the ICO helpline or seek legal advice.
Third parties and Privacy Policies
As above, if you share customer information with any third parties for any purpose, you must make it clear who you are sharing the data with, and why, before you collect that information from your customer.
If the sharing is unnecessary to the main service you provide, they must be offered the option to consent to this sharing. It should not be assumed by default.
In practice, this means documenting all of the third parties, by name, and why you share data with them within your Privacy Policy and making sure your Privacy Policy has attention drawn to it alongside any data collection. As this collection is typically done via web forms see this section. For full advice on your Privacy Policy content please see this section.
Analytics software
The vast majority of websites make use of software that tracks their visitors to provide overall information about trends and website usage. In the vast majority of cases, these do not collect personally identifiable data about your visitors, so they are exempt from consideration by the GDPR.
However, it is entirely possible to circumvent this general rule by passing the analytics software some personal data you collect, such as an email address or any other customer identifier. At this point, they would have to be treated like any other third party.
Since all analytics software uses cookies to track your user (anonymously), you should mention the use of this cookie in your privacy policy, but this is a prior requirement and not part of the GDPR.