Data Sharing and Third Parties: Questions to ask before sharing personal information you’ve collected

Published at 03:26 on 05 Feb 2022

Regulators around the globe have been targeting their enforcement efforts at companies that engage in data sharing with third parties without consent. In fact, 3 of the largest fines under the GDPR in 2021 related to inadequate consents and third-party data sharing. To help your organisation avoid these pitfalls, we’ve outlined some questions you should ask before sharing personal information you’ve collected with a third-party vendor.  

5 Questions to Ask Before Sharing Data with Third Parties

Question 1: Are you permitted to share data with third-party providers? 

The first question to ask before sharing data with third parties is an internal question: are you able to share the data you’ve collected with the third party?  

Where the third party is providing a service – like data storage – it may be that the sharing does not need any special notice or consent. In other cases, this may not be so clear, particularly where the sharing is going to be for a different use.  For example, you hold the sales records for people who’ve bought your products, but you want to share those records with a new partner as part of a joint marketing promotion. In many cases, you will need a valid user consent before sharing personal information you have collected with any third party, especially where that third party is a marketing organisation. The way you obtain consent will vary depending on where your users are located and whether you’re planning on sharing data with a third party located in another country, since the laws do differ slightly in California, Europe, and Australia (and countless other jurisdictions around the world).  

If you’re uncertain whether you can share data or if you need consent or whether the consent you hold is valid, it is best to seek legal advice before sharing any information. The consequences of sharing personal information with third parties without proper consent can be significant (as we saw in the Grindr breach we discussed recently).  

Question 2: What data does the third-party vendor need to achieve their purposes – and what data do they intend to access? 

Much like you should only be collecting personal information and data that help you achieve your organisation’s purposes, you should ensure your third-party vendors are doing the same. As such, it’s a best practice to only provide your third-party provider with the personal information they need to achieve the agreed purposes.  In some cases, third parties may want to use shared data for their own purposes. We often see, for example, service providers wanting to de-identify shared data and then use it for their own internal research and product development purposes.  

Particular care should be taken whenever agreeing to a third party using your data for their own purposes, even where they say it will be de-identified. The purposes should be clearly defined and agreed, and they must be valid purposes. You also need to agree on what ‘’de-identified data’ means and whether that definition is consistent with the different laws that might apply. 

One significant benefit of being careful about the data shared is that it allows you to manage the risk posed to your third-party providers more effectively. Data breaches involving sensitive information, such as medical information, government IDs, or credit card numbers, tend to be more expensive and more damaging to an organisation’s reputation. By limiting access to those types of information to third parties (and even employees) who really need it, you limit the risk that data poses to your organisation.  

Question 3: What will happen to the data shared with the third party at the conclusion of the contract?

Before sharing any data with a third party, you should ensure your services agreement requires them to securely delete and/or destroy the data you share with them at the conclusion of the contract. It is a best practice to outline the exact mechanisms you require them to use when deleting or destroying the data, to ensure they are up to standard.  

Additionally, you should also enquire about their data retention policies. Generally, it’s unlikely that you would want your third-party providers to retain the personal information you have collected for any longer than you would hold it yourself. And, in fact, you will likely face compliance issues with the consents you have obtained if they do retain the information for longer than you have received consent to hold it. You can be held responsible for data breaches stemming from third parties with which you have shared personal information.  

Question 4: Who will have access to the data and personal information you supply to the third-party provider?   

There are two compelling reasons that you should ask any third-party provider to provide details of who will have access to the data and personal information you supply. Firstly, this will help you adequately assess your risk stemming from sharing data with the third party and can help you to complete your data mapping processes with accuracy.  

Secondly, it is unlikely that all users associated with your third-party provider will require access to the data you supply. As such, it is wise to require the third-party provider to limit access to personal information to a set of privileged users who require the information to achieve their legitimate purposes.  

Limiting the number of users who have access to certain categories of data, such as personal information, can help to reduce the risk associated with sharing data with third parties. It can help to reduce the amount of data accessible if one of the third-party user’s credentials are stolen or compromised. Additionally, it reduces the risk of an employee stealing or accidentally leaking the data.  

To achieve this in practice, you should write clear policies and protections regarding access permissions for third-party users into your contracts. These can be bolstered by requirements that the third-party provider implements specific procedures when it is being on-boarded.  

Common protective measures associated with access control include: 

  • Multi-factor authentication requirements.  
  • Eliminating shared accounts.  
  • Not allowing users to autosave passwords to shared computers.  
  • Implementing a privileged access management system.  
  • Limiting a user’s ability to download information (and other command filtering actions).  

 

Question 5: What cybersecurity protections will be applied to the data shared with the third party?   

Since your business may face reputation and compliance issues in cases where a third-party vendor suffers a data breach, you should ensure that cybersecurity minimum standards and relevant protections are included in your service provider agreements.

The provisions should include, at a minimum:  

  • That the third party notify you within a certain (short) period following any security incident or data breach.  
  • Precise details of minimum standards and processes. To better protect your business, you should include provisions that outline specific minimum standards alongside details of processes for data management and protection to ensure adequate cybersecurity controls and protections are built into your contracts. These minimum standards should also reflect your compliance obligations in any relevant jurisdictions, including those under the GDPR and CCPA. 
  • A requirement that your third-party vendor is audited at agreed periods to confirm compliance with your cybersecurity minimum standards.  
  • The consequences for breaching the service provider agreement. In many cases, it would be appropriate to terminate the agreement immediately or with a short period of written notice if the third party does not meet the minimum cybersecurity standards outlined in the agreement.  
  • That the third party maintain a breach response plan, as well as other protections, like cybersecurity insurance.  

You might also consider limiting your liability for third-party breaches through your contracts.  

Protect the Data You Share Through Your Third-Party Agreements with Privacy 108 

Privacy 108 works with organisations to create more privacy-focused third-party agreements. Our experienced team is happy to liaise with third party providers to assess their privacy protections and will review your terms of service to ensure that the data shared with a third party is adequately protected.  

If you need assistance protecting the personal information you have collected, reach out:  

  • We collect and handle all personal information in accordance with our Privacy Policy.

  • This field is for validation purposes and should be left unchanged.

Privacy, software design and technology. Ian is a privacy, IT and software contracts lawyer with over 30 years of experience as a lawyer and over 20 years of experience advising on the legal aspects of data management and processing.

Tags:
, , ,