Steamline Sales and Build Trust with Transparency

Written By Rachel Curran

The General Data Protection Regulation (GDPR) has been in effect for nearly five years now- May 25, 2018 is a date permanently etched in my mind. GDPR introduced substantial changes in how EU personal data is managed by both data controllers and processors, and enforcement is real. EU authorities have imposed thousands of fines, totaling approximately $4.9 billion. These fines range from minor penalties to significant amounts, such as the $1.2 billion fine against Meta Platforms Ireland Limited.

One of the major direct impacts GDPR and the subsequent Schrems II decision have had on B2B companies is the increase in frequency and intensity of third party risk assessments. Third party due diligence certainly wasn’t introduced by GDPR, but GDPR codified responsibilities of controllers with regard to assessing the third parties they use and placed significant liability on the controllers in this relationship. This can mean longer sales cycles for "processors" and often burdensome due diligence efforts.

To streamline sales and build trust I recommend a proactive approach by processors.  Provide customers (controllers) with information regarding GDPR compliance applicable to data transfer impact and data privacy impact assessments. Information to consider for inclusion:

• What data is being transferred
• The purpose of processing
• Processing location (for adequacy decisions)
• Support for data subject rights
• Who has access to the data and for what purpose
• How data is encrypted in transit and at rest
• Data pseudonymization or deletion standards
• Laws relevant to the transfer
• Breach notification procedures
• Additional data protection measures
• Sub-processor details and notification procedures for changes
• Industry security standards in scope (NIST CYF, ISO 27001, etc)

One of the added benefits beyond trust and efficiency that come from putting these packages together for readily sharing with customers as appropriate, is it’s a good exercise for your own consideration of gaps and risks!
Crucially, the cornerstone of the Controller <> Processor relationship under GDPR is the contract, but I won't get into DPAs here, just make sure yours is good!

A really great example of this proactive communication from my perspective is Zendesk's trust center privacy page: https://lnkd.in/g7FsWjx4 (Have no affiliation with Zendesk, btw! I just appreciate their trust center!)

⚡ What's your approach? Any tips to add?



Further reading and references:
GDPR: https://gdpr-info.eu/
Schrems II: https://lnkd.in/gPFBwP3V, https://lnkd.in/gBhH2HHy
https://lnkd.in/gypimSTF

Rachel Curran
Previous

Always Verify Identity: Good habits for staying secure.
Next

SOC 2 Reports are Report Cards, Not Certifications