Bess Hinson of Morris, Manning, & Martin (Courtesy photo)

Routinely update Article 30 documentation Real-time transparency Data subject request management

• Third party service providers: Your company likely entrusts consumer personal data to business partners. Consider whether your contractual agreements obligate those partners to also comply with the GDPR where they process EU personal data. If not, consult legal counsel on the appropriate data processing addendum to propose to third parties.

• Third Party Service Provider Audit: If you obligated a third party service provider to a data privacy and data security contract addendum, you likely included a right to audit its regulatory functions. Designate personnel within your company who will inspect, test and audit those functions. Determine how often you will request evidence of compliance or an on-site audit in order to fulfill your obligations under the Regulation and your representations to customers and/or consumers.
• Prepare for enterprise customer requests and audits: If your company provides services, or functions as a data processor, you may be subject to heightened scrutiny by your customers, particularly if you agreed to a data privacy and data security addendum. Most addenda permit customers to request documentation regarding your GDPR compliance and conduct an on-site audit. Customers may also request a list of your sub-processors or object to certain subprocessors, therefore requiring you to maintain a varied list of suppliers and to prefer subprocessors who can attest to GDPR compliance. Customers will also seek assistance from you in the event of a security incident or data subject request related to data you have processed on the customer's behalf.

Bess Hinson is chair of the Cybersecurity & Privacy Practice at Morris, Manning & Martin.