Organisations share personal data with third parties all the time, but can they be trusted?
Data breaches at service providers can have a ripple effect throughout the supply chain, disrupting processes, causing delays and potentially even resulting in fines.
Under the GDPR (General Data Protection Regulation), for instance, an organisation can be held be liable for a security incident that occurs further down the supply chain.
This is a real threat that every organisation must account for. According to a Ponemon Institute and RiskRecon study, between 2021 and 2022, 54% of surveyed organisations suffered a data breach caused by a third party.
But how can you prepare for this threat, and what else does the GDPR say about third-party security practices? We explain everything you need to know in this blog.
How third-party relationships work under the GDPR
Before we begin, let’s be clear about how the GDPR works: any organisation that processes EU residents’ personal data is subject to its requirements.
When you outsource data processing activities to another organisation, you are a data controller and the third party is a data processor.
A data controller decides what information is processed and the lawful basis for doing so, whereas a data processor completes the processing on behalf of the controller.
Under the GDPR, data controllers are responsible for their own compliance as well as that of processors.
As such, it’s essential that you research the security practices of any potential third party and agree in writing to the measures it will take to secure its systems.
The contract must also state that third parties:
- Will act only on your documented instructions;
- Won’t contract a sub-processor without your prior approval; and
- Will delete or return all personal data to you at the of the contract.
Are you liable for third-party data breaches?
Liability depends on the specifics of the contract you signed with the third party. If you don’t have a contract, then you haven’t fulfilled your responsibilities under the GDPR and can be punished regardless of how the breach occurred.
If you have a contract but the supplier failed to meet its obligations, it may be liable to pay damages or other fines. This is also the case if the supplier sub-contracted some, or all, of the processing activities.
Nonetheless, although the supplier will be responsible for paying fines, the data controller is tasked with meeting the GDPR’s notification requirements.
Tips for dealing with third parties
Data controllers must be accountable for the way third parties process personal data. In the event of a security incident, it’s not good enough to deny any wrongdoing and lay the blame entire on the supplier.
You must therefore be confident that the third party takes data protection seriously and will implement appropriate measures to meet the Regulation’s requirements.
When reviewing your relationship with third parties, organisations must:
- Not assume that third-party vendors take security and compliance seriously, let alone are GDPR compliant.
- Clearly define all areas and activities in which the GDPR is in scope, and have third-party vendors agree and provide signed contractual assurances that their processes meet the Regulation’s requirements.
- Confirm with third-party vendors that they will not outsource any GDPR-relevant scoped services without written approval.
- Regularly audit third-party vendors’ processes.
Simplifying your GDPR compliance practices
The GDPR has been in effect for a while now, but many organisations are still struggling to meet its requirements.
You must address your compliance requirements and ensure that you are maintaining a high standard.
That’s easier if you use GDPR Manager, a tool that helps you document and manage key compliance processes in one location.
You can use it to keep track of third parties handling your data, respond to DSARs (data subject access requests), assess and manage your compliance gaps, and record and report on data breaches.
A version of this blog was originally published on 18 December 2017.
Thanks for finally writing about > The GDPR: Why you need to review your
third-party service providers’ security – IT Governance Blog En < Loved it!
Awesome website you have here but I was curious
if you knew of any user discussion forums that cover the same topics talked
about in this article? I’d really love to be a part of online community where I can get suggestions from
other knowledgeable people that share the same interest.
If you have any recommendations, please let me know.
Thanks a lot!
If you belong to LinkedIn you will find lots groups covering data protection and information security where they share ideas and articles.
Thank you for the blog post. Thomas and I are already
saving to get a new e-book on this theme and your short article has made all of us to save the money.
Your thoughts really resolved all our inquiries. In fact, in excess of what we had
known ahead of the time we came upon your amazing blog.
I no longer nurture doubts including a troubled mind because
you have totally attended to our needs here. Thanks
This is a very insightful article. We better double check our third-party service provider’s security.
Thanks for sharing!