Organisations share personal data with third parties all the time, but can they be trusted?
The GDPR (General Data Protection Regulation) extended the scope of responsibility when it comes to data protection and privacy, so where does that leave you when it comes to security incidents caused by service providers?
How third-party relationships work under the GDPR
Before we begin, let’s be clear about how the GDPR works: any organisation that processes EU residents’ personal data is subject to the Regulation and must meet its requirements.
When you outsource certain data processing activities to another organisation, you are a data controller and the third party is a data processor.
A data controller decides what information is processed and the lawful basis for doing so, whereas a data processor completes the processing on behalf of the controller.
Under the GDPR, data controllers are responsible for their own compliance as well as that of processors.
As such, it’s essential that you research the security practices of any potential third party and agree in writing to the measures it will take to secure its systems.
The contract must also state that third parties:
- Will act only on your documented instructions;
- Won’t contract a sub-processor without your prior approval; and
- Will delete or return all personal data to you at the of the contract.
So, are you liable for third-party data breaches?
That depends on the specifics of the contract you signed with the third party. If you don’t have a contract, then you haven’t fulfilled your responsibilities under the GDPR and can be punished regardless of how the breach occurred.
If you have a contract but the supplier failed to meet its obligations, it may be liable to pay damages or other fines. This is also the case if the supplier sub-contracted part, or all, of the processing activities.
However, although the supplier will be responsible for fines, you are tasked with meeting the GDPR’s notification requirements.
Tips for when you deal with third parties
The GDPR is clear that you must be accountable for the way third parties process personal data. In the event of a breach, it’s not good enough to deny any wrongdoing and lay the blame entire on the supplier.
You must therefore be confident that the third party takes data protection seriously and will implement appropriate measures to meet the Regulation’s requirements.
When reviewing your relationship with third parties, communication technology company 8×8 recommends:
- Don’t assume your third-party vendors take security and compliance seriously, let alone are GDPR compliant.
- Clearly define all of the areas and activities in which GDPR is in scope, and have your third-party vendors agree and provide signed contractual assurances they will achieve all the GDPR compliance intricacies by 25 May 2018.
- Agree that your third-party vendors will not outsource any GDPR-relevant scoped services without written approval.
- Do your due diligence and regularly audit your third-party vendors’ processes.
- Make sure your third-party vendors provide thorough background checks for all staff and contractors – including credit, employment and criminal records.
- Know where your third-party vendors’ employees are located, and decide whether you’re happy working with vendors employing staff and contractors in countries where hostile state actors are employed and/or are known for supporting, tolerating or ignoring cyber criminal activity.
Simplify GDPR compliance with IT Governance
The GDPR has been in effect for over a year, but many organisations are still struggling to meet its requirements. That’s understandable, given the complexity of the Regulation and the cost of implementing appropriate controls, but it’s no excuse.
You must address your compliance requirements and ensure that you are maintaining a high standard. That’s easier if you use GDPR Manager, a tool that helps you document and manage key compliance processes in one location.
You can use it to:
- Keep track of third parties handling your data;
- Respond to DSARs (data subject access requests);
- Assess and manage your compliance gaps; and
- Record and report on data breaches.
A version of this blog was originally published on 18 December 2017.