Home/Articles/Security & Compliance
Security & Compliance

The GDPR Compliance Checklist for Third-Party Data Exchanges

Under GDPR, you aren't only responsible for the data you create — you're legally liable for the data you ingest. Here are the six checks every MDM team must pass before a third-party file reaches a master record.

9 min read·Security & Compliance

Master Data Management is built on a simple premise: a single, accurate, trusted record for every entity in your business. Every third-party data exchange is a threat to that premise — not just a quality threat, but a legal one. Under GDPR, ingesting data from a partner, vendor, or customer carries the same compliance obligations as collecting it directly.

The problem is structural. Most MDM teams focus on deduplication, record linkage, and golden record creation. The ingestion layer — the moment data crosses from a third party into your environment — often gets treated as a technical problem rather than a compliance one. GDPR auditors see it differently.

This checklist covers the six points where third-party data exchanges create GDPR exposure, what each check requires, and what Elvity handles automatically at each stage.

Before the checklist: Controller or Processor?

The most consequential GDPR question in any third-party data exchange is answered before a single row is ingested. Are you the Controller — the entity that determines the purpose and means of processing? Or are you the Processor — the entity that processes data on another's behalf?

The answer changes everything: which contracts you need, what consent obligations you carry, and who a data subject can hold accountable when they exercise their rights. Many MDM teams operate in both roles simultaneously, depending on the data category.

Data Controller

You decide the why and how of processing — the purpose and means. You are the primary legal entity accountable to data subjects.

MDM obligations

  • Maintain a lawful basis for every data category
  • Build consent management into your ingestion flow
  • Respond to Subject Access Requests within 30 days

Data Processor

You process data on behalf of another entity. You act under their instructions and may not go beyond the scope of the agreement.

MDM obligations

  • Execute a Data Processing Agreement (DPA) with the controller
  • Restrict ingested data to the agreed purpose only
  • Notify the controller of any breach within 72 hours

The six-point compliance checklist

Each item below maps to a specific GDPR article and a specific failure mode in the ingestion pipeline. Work through them in order — the first three are prerequisites for the last three.

1

Identify your role: Controller or Processor?

GDPR Art. 4(7) / 4(8)

The check: Have you defined the legal relationship before any data is exchanged?

If you skip it: No role definition means no DPA, no consent framework, and no clear accountability when a data subject exercises their rights.

Elvity: Elvity generates an import-level audit trail that documents every ingestion event with source, timestamp, and purpose — the foundation for demonstrating lawful basis regardless of your role.

2

Enforce data minimisation at the gate

GDPR Art. 5(1)(c)

The check: Does your importer allow you to drop fields that are not required for your stated purpose?

If you skip it: An importer that passes every column into your database will eventually write sensitive, unconsented data — a stray SSN field, a salary column, a health record — into your master records.

Elvity: Elvity's column mapping layer lets you select exactly which fields enter your environment. Unmapped columns are never written to your database — they don't pass through a filter, they never arrive.

3

Validate data accuracy before merging with master records

GDPR Art. 5(1)(d)

The check: Do you have a validation layer that checks integrity before third-party data touches your golden records?

If you skip it: Merging unvalidated third-party data into your MDM creates inaccurate master records. Under GDPR, storing inaccurate personal data is not just a quality problem — it's a legal violation.

Elvity: Elvity validates email addresses, phone numbers, and structured fields at ingestion. Invalid records surface before they commit — not after a complaint from a data subject.

4

Map the data origin for Right to Erasure compliance

GDPR Art. 17

The check: Can you look at any record in your MDM and identify exactly which third-party exchange it originated from?

If you skip it: When a data subject exercises their Right to Erasure, you have one month to comply. If you cannot trace a record's origin across every ingestion event, you cannot guarantee complete deletion.

Elvity: Elvity logs every import with source metadata — who submitted it, when, which file, which rows were accepted. Your compliance team can pull a full lineage trace on any record on demand.

5

Validate international data transfers

GDPR Art. 44–49

The check: Is the third party located outside the EEA? Do they comply with the EU-U.S. Data Privacy Framework or hold Standard Contractual Clauses?

If you skip it: Transferring personal data to a third party in a non-adequate country without the correct legal mechanism is a direct GDPR violation — regardless of what that data is or how it's used.

Elvity: Elvity's ingestion infrastructure is hosted in GDPR-compliant regions. Data does not transit through non-adequate jurisdictions during processing.

6

Implement security by design across the exchange

GDPR Art. 25 / 32

The check: Is data encrypted in transit and at rest? Is the processing sandboxed from your production environment?

If you skip it: GDPR's "Technical and Organisational Measures" requirement is not satisfied by policies alone. If your ingestion layer lacks encryption and isolation, you have a gap that an auditor — or a breach — will find.

Elvity: Elvity enforces TLS in transit, AES-256 at rest, and sandboxed processing by default. Built-in PII detection flags sensitive columns before they reach your database. No configuration required.

GDPR articles mapped to your MDM requirements

The table below maps each relevant GDPR article to its MDM impact and the coverage Elvity provides. Use it as a reference when responding to a DPA questionnaire or preparing evidence for a supervisory authority.

GDPR ArticlePrincipleMDM impactElvity coverage
Art. 4(7)/(8)Controller / Processor definitionDetermines DPA requirement and consent obligations at ingestionAudit trail documents role and purpose for every import
Art. 5(1)(c)Data minimisationMDM must not ingest more personal data than the stated purpose requiresColumn-level mapping ensures unmapped fields never enter your environment
Art. 5(1)(d)AccuracyThird-party data must be validated before merging with master recordsField-level validation at ingestion; invalid rows surfaced before commit
Art. 17Right to ErasureYou must be able to trace and delete a data subject's records across all sourcesSource metadata logged per row; full lineage available on demand
Art. 25Privacy by DesignPrivacy controls must be built into data processing systems by defaultPII detection and sandboxed processing are default, not optional
Art. 32Security of processingTechnical measures must protect data throughout the ingestion lifecycleTLS in transit, AES-256 at rest, isolated transformation environment
Art. 44–49International transfersData transferred outside the EEA requires an adequacy decision or SCCsInfrastructure hosted in GDPR-compliant regions; no non-adequate transit

The messy middle: where compliance gaps actually occur

Most GDPR violations in third-party data exchanges don't happen at the policy level — they happen in the gap between receiving a raw file and inserting it into your database. A partner sends a CSV. Your team maps the obvious columns. A stray sensitive field slips through unmapped. Three months later, a data subject requests erasure and you discover you're holding data you have no legal basis to retain.

Elvity sits at that gap by design. Data minimisation, field-level validation, PII detection, and source-level audit logging are not features you configure — they are the ingestion pipeline. The same system that handles encryption in transit and at rest is the system that enforces your column mapping rules and writes your compliance audit trail.

For a deeper look at how the ingestion layer fits into your SOC 2 posture alongside GDPR, see why your data importer is a SOC 2 audit risk. For the broader picture of how AI-native privacy principles apply to MDM, Privacy by Design for GDPR and AI-driven MDM covers the strategic layer.

Compliance in third-party data exchanges is not a one-time audit event. It's a property of your ingestion infrastructure — and it's either built in or it isn't.

Make your ingestion layer GDPR-ready

See how Elvity handles data minimisation, accuracy validation, source traceability, and security by design — the four GDPR obligations that live inside your CSV importer.