The GDPR: Why you need to review your third-party service providers’ security

Organisations share personal data with third parties all the time, but can they be trusted? 

The GDPR (General Data Protection Regulation) has extended the scope of responsibility when it comes to data protection and privacy, meaning you need to be a lot more careful about the implications of security incidents caused by service providers.

How third-party relationships work under the GDPR

Before we begin, let’s be clear about how the GDPR works: any organisation that processes EU residents’ personal data is subject to the Regulation and must meet its requirements. 

When you outsource data processing activities to another organisation, you are a data controller and the third party is a data processor. 

A data controller decides what information is processed and the lawful basis for doing so, whereas a data processor completes the processing on behalf of the controller. 

Under the GDPR, data controllers are responsible for their own compliance as well as that of processors. 

As such, it’s essential that you research the security practices of any potential third party and agree in writing to the measures it will take to secure its systems. 

The contract must also state that third parties: 

  • Will act only on your documented instructions; 
  • Won’t contract a sub-processor without your prior approval; and 
  • Will delete or return all personal data to you at the of the contract.

 Discover how to conduct a data flow mapping exercise under the GDPR in our free green paper. 

Are you liable for third-party data breaches?

Liability depends on the specifics of the contract you signed with the third party. If you don’t have a contract, then you haven’t fulfilled your responsibilities under the GDPR and can be punished regardless of how the breach occurred. 

If you have a contract but the supplier failed to meet its obligations, it may be liable to pay damages or other fines. This is also the case if the supplier sub-contracted some, or all, of the processing activities. 

Nonetheless, although the supplier will be responsible for paying fines, the data controller is tasked with meeting the GDPR’s notification requirements. 

The EU Data Act

In February 2022, the European Commission unveiled a proposal for the EU Data Act, an addition legislation that’s designed to protect sensitive corporate data.

Unlike the GDPR, it applies to both personal and non-personal data. In the context of information security, this includes things such as intellectual property and financial data. It also includes personal data that has been anonymised or pseudonymised, which would put it out of the GDPR’s scope.

The EU Data Act is part of the European Commission’s broader European Strategy for Development, which was first publicly discussed in 2020. It’s designed to ensure that organisations understand the value of and adequately protect the information that they process.

The Act, which is intended to be wide-ranging and sector-neutral, is also aimed to help public-sector bodies and unions use information held by private-sector firms in instances where there is an exceptional need.

Its legislators also hope the Act will help facilitate switching between Cloud and edge services, protect against unlawful data transfers and enhance the interoperability standards for data reuse.

If enacted, the EU Data Act will require organisations to provide relevant information to third parties upon request.

However, third parties aren’t eligible to receive information if it or a member of its group is a gatekeeper under the Digital Markets Act.

Organisations that hold sensitive information must implement processes that unsure that the data is shared fairly, reasonably and on non-discriminatory terms.

The EU Data Act looks to protect organisations by imposing restrictions on the use of unfair contractual terms. This includes, for example, exclusions of liability for goss negligence of the organisation imposing the contractual term, or terms that give the organisation unilateral right to interpret or terminate the contract.

Tips for dealing with third parties

Data controllers must be accountable for the way third parties process personal data. In the event of a security incident, it’s not good enough to deny any wrongdoing and lay the blame entire on the supplier. 

You must therefore be confident that the third party takes data protection seriously and will implement appropriate measures to meet the Regulation’s requirements. 

When reviewing your relationship with third parties, organisations must: 

  • Not assume that third-party vendors take security and compliance seriously, let alone are GDPR compliant.
  • Clearly define all areas and activities in which the GDPR is in scope, and have third-party vendors agree and provide signed contractual assurances that their processes meet the Regulation’s requirements. 
  • Confirm with third-party vendors that they will not outsource any GDPR-relevant scoped services without written approval. 
  • Regularly audit third-party vendors’ processes. 

Simplifying your GDPR compliance practices

GDPR Manager - Data Protection / EU GDPR Software

The GDPR has been in effect for a while now, but many organisations are still struggling to meet its requirements

You must address your compliance requirements and ensure that you are maintaining a high standard.

That’s easier if you use GDPR Manager, a tool that helps you document and manage key compliance processes in one location. 

You can use it to: 

  • Keep track of third parties handling your data; 
  • Respond to DSARs (data subject access requests); 
  • Assess and manage your compliance gaps; and 
  • Record and report on data breaches.

A version of this blog was originally published on 18 December 2017. 


  1. cleaning &janitorial 28th June 2020
  2. 19th October 2020
    • Pete Janusz 27th November 2020
  3. concrete repair 1st December 2020
  4. Wayne Walker 3rd June 2021

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.