Organisations share personal data with third parties all the time, but can they be trusted? The EU General Data Protection Regulation (GDPR) makes it clear that organisations are accountable for data breaches caused by third-party service providers, which should be a major concern as third parties are reportedly implicated in 63% of data breaches.
The GDPR, which comes into effect on 25 May 2018, strengthens EU residents’ rights related to their personal data and gives supervisory authorities stronger disciplinary powers. Any organisation that fails to comply with the Regulation faces a fine of up to 4% of its annual global turnover or €20 million – whichever is greater. Although maximum fines will only happen if an organisation blatantly disregards the Regulation’s requirements, strict disciplinary action is still something to be concerned about.
Given that third parties pose such a large security risk, organisations need to protect themselves.
What you need to do
When reviewing your relationship with third parties, communications technology company 8×8 says:
- Don’t assume your third-party vendors take security and compliance seriously, let alone are GDPR compliant.
- Clearly define all of the areas and activities in which GDPR is in scope, and have your third-party vendors agree and provide signed contractual assurances they will achieve all the GDPR compliance intricacies by 25 May 2018.
- Agree that your third-party vendors will not outsource any GDPR-relevant scoped services without written approval.
- Do your due diligence and regularly audit your third-party vendors’ processes.
- Make sure your third-party vendors provide thorough background checks for all staff and contractors – including credit, employment and criminal records.
- Know where your third-party vendors’ employees are located, and decide whether you’re happy working with vendors employing staff and contractors in countries where hostile state actors are employed and/or are known for supporting, tolerating or ignoring cyber criminal activity.
You also need to be aware of the rules about transferring data outside the EU. The GDPR applies to the location of the data subject, not where the data is collected or stored. So whether your third-party service provider is based in the EU or not, the Regulation applies if they are collecting EU residents’ personal data.
You can’t transfer EU residents’ data to all countries, though. The GDPR only permits personal data transfers to countries that the European Commission deems have an “adequate” level of personal data protection.
In the absence of an adequacy decision, transfers are allowed outside non-EU states under certain circumstances, such as through standard contractual clauses or binding corporate rules. Derogations are also permitted under limited additional circumstances.
Although you probably have a team preparing your organisation for the GDPR, everyone who handles personal data also needs to know their obligations.
Staff awareness training is an essential component of any GDPR compliance framework. Our GDPR Staff Awareness E-learning Course provides an introduction to the GDPR, outlines the six principles for collecting and processing personal data and gives advice on how to apply these principles.