IDC Names Securiti a Worldwide Leader in Data PrivacyView
In 2021, WhatsApp was slapped with a £225 million fine imposed by Ireland’s Data Protection Commission. The reason? WhatsApp had failed to appropriately inform and gain their users’ consent before sharing their data with their parent company, Facebook.
The Commission specifically accused WhatsApp of violating Article 29 by failing to obtain their users’ consent. Furthermore, the body found WhatsApp’s consent mechanism to be both unclear and vague, with users not being presented with a discernable choice related to whether they consent to having their data shared with Facebook.
The incident serves as a critical reminder for businesses and other organizations about how important it is to comply with Article 29. An organization's own data processing activities may be in order, but a failure to ensure relevant measures to monitor their third parties’ ability to do the same can have harsh consequences, as was the case with WhatsApp.
For organizations aiming to comply with Article 29 of the General Data Protection Regulation (GDPR), here's what you need to know:
Article 29 of GDPR is a relatively straightforward provision of the GDPR that mandates all data processors engaged in data processing activities on behalf of a data controller to proceed only with the processing activities as instructed by the controller.
The only exception to this strict requirement is unless proceeding with the processing activities as instructed by the controller would contradict a Union or Member State law.
Since coming into effect in 2018, the GDPR has garnered a reputation for being extraordinarily thorough in ensuring data subject’s rights and freedoms related to their data are appropriately protected.
Article 29 demonstrates this perfectly by ensuring that even when third parties are processing their personal data, it is protected appropriately.
If a data controller delegates processing activities to a data processor, the data processor can only carry out the processing activities by strictly following the instructions provided by the data controller.
Additionally, the data controller remains responsible for ensuring that all processing activities conducted under their name are done in a GDPR-compliant manner.
In other words, when an organization decides to outsource some of its data collection and processing activities to other organizations, Article 29 ensures that the users' data is appropriately protected via GDPR-compliant measures. Such measures drastically reduce the chances of potential data breaches or other privacy incidents as data controllers retain real-time insights into the processing activities of the processor on their behalf.
Some measures data controllers and processors can undertake to ensure compliance with Article 29 of the GDPR include the following:
Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI. It provides unified data intelligence, controls, and orchestration across hybrid multi-cloud environments. Large global enterprises rely on Securiti's Data Command Center for data security, privacy, governance, and compliance.
You can access numerous critical modules and products with the Data Command Center. Vendor Risk Assessment is one such product that enables a single repository for all an organization's third-party assessments, providing a single view for all ongoing assessments.
As a result, collaboration with internal and external stakeholders can be streamlined via a safe and secure dashboard.
Similarly, the Data Access Governance module can be leveraged to gain specific insights into which personnel and applications have access to what sensitive data, as well as the geographic region, specific system, or regulations tied to that data. Consequently, policies can be set up to control access to data based on the type, sensitivity, system, location, or regulatory requirements.
Request a demo and learn more about how Securiti can help your organization comply with your responsibilities under Article 29 of the GDPR.