GDPR and How It Affects Third-Party/Vendor Handling of Personal and Employee Data

Protiviti has issued a series of podcasts on various specific aspects of the General Data Protection Regulation (GDPR), the comprehensive EU data privacy law that became effective May 25, 2018. Below, we offer a transcript of the conversation with Jeff Sanchez, Managing Director with Protiviti’s Security and Privacy practice, discussing the changes data controllers and processors will need to make in the handling of personal data to ensure compliance with the law. For more about GDPR, visit our resources page at


In Depth Interview

Powerful Insights GDPR – Jeff Sanchez

June 21, 2018

Kevin Donahue: Hello, and welcome to a new installment of Powerful Insights. This is Kevin Donahue, a senior director with the Marketing group of Protiviti, and I’m pleased to be talking today with Jeff Sanchez. Jeff is a leader with Protiviti’s Security and Privacy group, and we’re going to be talking a little bit today about the new General Data Protection Regulation, which has gone into effect in the European Union. Jeff, thanks for joining me today.

Jeff Sanchez: Thanks, Kevin. Happy to be here.

Kevin Donahue: Jeff, my first question for you, which I have been asking a lot of our experts, is, the GDPR has now gone into effect; what are some your initial takeaways? What are you hearing from companies in terms of the most common questions, challenges they are facing and such? What are you hearing in the market right now?

Jeff Sanchez: That’s a good question. The one thing I have seen as new is, I have seen the clients receive data-subject-rights requests, and so I think that’s probably the new thing. Instead of just preparing, now we are seeing it actually happen, and companies are struggling with what data they need from the data subject in order to process that data subject’s rights request, and how are they going to ensure the legitimacy of the request and the identity of the individual making the request?

Those are all things that I think people were preparing for in advance, but now that the actual requests are coming in – and some of the requests that I have seen have been very broad – I think the reality now that’s hitting is causing companies to reexamine their processes and the effectiveness of their processes, and especially some of those things around “How do we know that this request is actually coming from the person they are claiming to be, and how do we authenticate the individual?” and things like that. That’s the thing that I would say is brand-new.

The other thing that I think is continuing from before May 25 is a lot of these requests to validate security of control. As vendors get these requests, we’re seeing lots of companies get requests such as “Is your security up to snuff?” and “Are you GDPR-compliant?” and the range these questionnaires cover is pretty broad. Some of these questionnaires I’ve seen have just a small number of questions. Other questions are very, very detailed – hundreds of questions and everything in between. We are definitely seeing a lot of that.

The other thing that we’re seeing – and I’m sure many of us have seen these – is emails asking us, “Do you want to stay on our distribution list?” We have seen lots of questions from clients and companies about what should they do in that vein. If they’re dealing with business-to-consumer, do they need authorization or consent in order to continue marketing to people? If you’re business-to-business, what are the rules? That’s an area where we’re definitely seeing lots of questions.

Kevin Donahue: Thanks, Jeff. You mentioned briefly something about vendors. I wanted to follow up on that. How are vendors being looked at, or third parties of a company? Whether it’s a financial services company that works with an outside vendor to manage data or consumer products, whatever, how are they being scrutinized, and what is the responsibility of that company that has retained that vendor to ensure that everybody, or all those groups, are GDPR-compliant?

Jeff Sanchez: Right. GDPR flows downstream from the data controller. The data controller is the entity that originally receives the data from the data subject or whatever that personal identifying information is. Those other vendors that they share the data with would be considered data processors, and it is up to the data controller to ensure that all of their data processors are compliant with GDPR.

We see two different activities taking place there: One is contractual obligations. Generally, we’ve seen companies send data-privacy addendums for their contracts out to all of their vendors that have access to GDPR-relevant data. The second thing is ensuring compliance beyond just the contractual obligation but meeting the compliance obligation, so in that vein, we see many companies expanding or launching third-party security- and privacy-assessment programs.

Generally, this looks like surveys that are going out from the upstream data controller to the data processors that ask questions about their compliance, how they handle data and security controls that take place. Many companies have had this vendor-security program in the past, but with GDPR, we see more companies launch the programs and expansions of the programs to more privacy-related terms rather than simply security-related activities.

Kevin Donahue: Jeff, one last question for you before we wrap up here. We’ve heard a lot about how GDPR is designed to protect consumer data. How does this apply to the data of an employee of a company and the company’s responsibilities regarding that employee’s data?

Jeff Sanchez: One of the important things to keep in mind with GDPR is that the main objective of GDPR is to ensure that organizations are handling that sensitive data in an appropriate manner, and if there’s transparency between the data subject and the data controller as to how that data is being used. There is nothing in GDPR that limits this obligation to just a consumer-processor-type relationship. It covers any personal data that’s being shared with a commercial organization, and that covers both B2B relationships, where an organization may be selling product to another business but you’re still interfacing with an individual in that process, as well as the employee-employer relationship.

What this would mean is that it is important for the employer – in this case, they’d be the data controller – to ensure that they have transparency to their employees and how their data is being used and how their data is being processed. That means that, for example, an employer could not share a list of employees with their personal data with a health club company, for example, or a cell phone company, for example, without receiving permission.

I am careful here because one of the really sticky topics here is around consent, because in many cases, consent is not a valid method of processing for employee data because of the imbalance of power between the employee and the employer: The employer can’t require the employee to consent to certain things, because the employee does not necessarily have the ability to say no to that. It makes it tougher if the employer wants to share that information with a fitness center, or cell phone provider, or something like that. In many cases, they may not be able to do that anymore because they don’t have a legal basis of processing, and consent is not considered a valid and appropriate method to obtain the legal basis of processing between an employer and an employee because of the imbalance of power between the two. That makes it tougher for employer to do something like that.

It also means, though, that the employer is obligated to ensure that all the processors that are involved in the mix are GDPR-compliant, and there are many of them. In an HR arena, you typically have health care providers ­– there could be multiples of those. You could have investment advisers, 401(k) providers. All those different organizations that are handling employee data would need to be in that third-party due diligence process that we just talked about. They would need to be covered by contractual obligations. Those same activities that we talked about for other types of relationships, that consumer-processor relationship, those same controls and methods all have to apply to the employee-employer relationship as well. It’s a little bit trickier, because you can’t use consent as your basis for processing there.

Kevin Donahue: Well, that’s another complex angle in what is certainly turning out to be a complex regulation.

Jeff Sanchez: Yes, absolutely.

Kevin Donahue: Jeff, I want to thank you very much for joining me today to discuss your views on the General Data Protection Regulation. I want to invite our audience to visit, where you can find much more information on this topic, including our comprehensive resource guide that has been published by Protiviti, Robert Half and Baker McKenzie.


Add comment