The GDPR: Why you need to review your third-party service providers’ security

Organisations share personal data with third parties all the time, but can they be trusted? 

Data breaches at service providers can have a ripple effect throughout the supply chain, disrupting processes, causing delays and potentially even resulting in fines.

Under the GDPR (General Data Protection Regulation), for instance, an organisation can be held be liable for a security incident that occurs further down the supply chain.

This is a real threat that every organisation must account for. According to a Ponemon Institute and RiskRecon study, between 2021 and 2022, 54% of surveyed organisations suffered a data breach caused by a third party.

But how can you prepare for this threat, and what else does the GDPR say about third-party security practices? We explain everything you need to know in this blog.

How third-party relationships work under the GDPR

Before we begin, let’s be clear about how the GDPR works: any organisation that processes EU residents’ personal data is subject to its requirements. 

When you outsource data processing activities to another organisation, you are a data controller and the third party is a data processor. 

A data controller decides what information is processed and the lawful basis for doing so, whereas a data processor completes the processing on behalf of the controller. 

Under the GDPR, data controllers are responsible for their own compliance as well as that of processors. 

As such, it’s essential that you research the security practices of any potential third party and agree in writing to the measures it will take to secure its systems. 

The contract must also state that third parties: 

  • Will act only on your documented instructions; 
  • Won’t contract a sub-processor without your prior approval; and 
  • Will delete or return all personal data to you at the of the contract.

Discover how to conduct a data flow mapping exercise under the GDPR in our free green paper.

Are you liable for third-party data breaches?

Liability depends on the specifics of the contract you signed with the third party. If you don’t have a contract, then you haven’t fulfilled your responsibilities under the GDPR and can be punished regardless of how the breach occurred. 

If you have a contract but the supplier failed to meet its obligations, it may be liable to pay damages or other fines. This is also the case if the supplier sub-contracted some, or all, of the processing activities. 

Nonetheless, although the supplier will be responsible for paying fines, the data controller is tasked with meeting the GDPR’s notification requirements

Tips for dealing with third parties

Data controllers must be accountable for the way third parties process personal data. In the event of a security incident, it’s not good enough to deny any wrongdoing and lay the blame entire on the supplier. 

You must therefore be confident that the third party takes data protection seriously and will implement appropriate measures to meet the Regulation’s requirements. 

When reviewing your relationship with third parties, organisations must: 

  • Not assume that third-party vendors take security and compliance seriously, let alone are GDPR compliant.
  • Clearly define all areas and activities in which the GDPR is in scope, and have third-party vendors agree and provide signed contractual assurances that their processes meet the Regulation’s requirements. 
  • Confirm with third-party vendors that they will not outsource any GDPR-relevant scoped services without written approval. 
  • Regularly audit third-party vendors’ processes. 

Simplifying your GDPR compliance practices

The GDPR has been in effect for a while now, but many organisations are still struggling to meet its requirements. 

You must address your compliance requirements and ensure that you are maintaining a high standard.

That’s easier if you use GDPR Manager, a tool that helps you document and manage key compliance processes in one location. 

You can use it to keep track of third parties handling your data, respond to DSARs (data subject access requests), assess and manage your compliance gaps, and record and report on data breaches.

A version of this blog was originally published on 18 December 2017. 


  1. cleaning &janitorial 28th June 2020
  2. 19th October 2020
    • Pete Janusz 27th November 2020
  3. concrete repair 1st December 2020
  4. Wayne Walker 3rd June 2021

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.