Can you trust third-party due diligence for GDPR?
Mr Jones is concerned about data protection on third-party websites in relation to his products. He received a letter from the ICO stating that he needs to consider whether or not he should be paying the annual fee in line with Data Protection Regulations and register the accountability of his company to comply with the Law and regulations on Data Protection.
GDPR and ICO regulated third party vendors
Mr Jones owns a Registered Limited Company. He does not own a website yet but has shared the links for the products he sells on his social media websites. Instead, Mr Jones is an Amazon FBA Seller and also sells on eBay. Amazon and eBay, both being independent platforms, advertise Mr Jones’s products on their websites.
Amazon stores Mr Jones’s products in their warehouses. The buyer makes the payment through the Amazon and eBay sites under the platform’s terms and conditions and buyer protection. Each buyer has an account with Amazon and / or eBay. Amazon and eBay are third-party vendors of Mr Jones’s products. Since Amazon and eBay are third-party vendors, they legitimately collect, process and store data on behalf of Mr Jones.
Should online sellers on third-party websites pay for ICO Data Protection Fees?
Mr Jones looked on the Amazon and eBay websites to find information regarding the GDPR compliance requirement for FBA sellers. He could not find the data at first so joined the FBA seller forum. The forum suggested that Mr Jones would be exempt from the fees.
Mr Jones also considered whether he intended to collect specific personal data (such as delivery addresses) from his eBay account. He receives delivery addresses and any relevant data to post and’ return items to the buyer. Mr Jones considered using this data to create a future marketing campaign. Mr Jones also needed to consider whether this would violate the eBay seller terms and conditions.
Unsure, Mr Jones decided to complete the application form to ascertain whether he was exempt from ICO payment or not. The application form and online assessment tool detailed the meaning of personal data, roles of Controller, Processor and Personal Data that needed Mr Jones to clarify the existence of these within his company. Mr Jones needed to decide whether he was a controller or processor of personal data in order to understand and fulfil his duty in line with the GDPR.
Meaning of Personal Data, Controller and Processor
Personal data is considered any information that identifies a particular person, e.g., addresses, email addresses, bank account details, driver number plates, telephone numbers and any information that identifies a natural person. Personal data can be managed by controllers or processors. The ICO determines the meaning of controllers as persons who decide why personal data should be processed and how it is used. You can decide whether you are a Controller or Processor of data using these tick box options.
Fee payments for data protection on third-party websites
The ICO stipulates that if an organisation is controlling how and why data is used, then a fee must be made to the ICO. For example, organisations that process payments online and store customer payment details will need to pay the data protection fee. A non-payment of the appropriate fee for your organisation can result in a penalty. The best way to find out whether you need to pay is to use the online self -assessment tool. This will tell you what fee you need to pay.
is your business GDPR compliant?
Once you have paid your data protection fee, having checks and balances systems in place to review the management of personal data in your business is highly recommended. This includes any outsourcing of the management of personal data that it is maintained in a way that is and secure and the accountabilities and consents at all levels is transparent to your business concerns. You need good well documented record systems for collecting and processing accurate and relevant data to ensure that you have a legitimate interest in collecting and processing data, and lawful basis why you are using and controlling this data in relation to your business concerns.