The EU General Data Protection Regulation (GDPR) seeks to strengthen how companies handle the valuable personal data they are responsible for, whether they collect and process the data or contract a third party. So when it comes to managing and securing this flow of valuable data, one important question is: Where are the weak links?One of the more common ways cybercriminals attack larger organizations is by targeting trusted third-party suppliers that have fewer and laxer security controls. And looking into this area is critical since many enterprises share data with other organizations without any visibility. A 2017 study by the Ponemon Institute revealed that 57 percent of respondents don’t have an inventory of the third parties they share information with, and 82 percent don’t know if their sensitive data was shared with a fourth or even a fifth party.
In the same survey, at least 56 percent of the respondents experienced a third-party data breach in 2017. This is a serious issue for enterprises because, under the GDPR, an organization can be held liable for supply chain breaches or compromises. On average, one breach alone costs U.S. companies $7.3 million in fines, remediation, and loss of customers.
Third-party suppliers can include marketing teams and law firms or even delivery services and freelance workers — any entity that collects or processes the data of customers, contacts, or employees. Outsourced IT backend processes such as cloud storage are also covered. Over the years we’ve seen some serious cases where organizations overlooked the security of these suppliers and became victims of a data breach.
A data controller can share in the liability of data processing leaks. For example, if a marketing firm suffers a data breach that results in leaked email accounts and phone numbers, the enterprise that hired the marketing firm and shared data with them can be held liable. To be exempt from liability, an enterprise has to prove that they were not in any way responsible for the event and that they exercised due diligence.
More generally, a controller can be liable for the damage caused by data processing and handling that goes against the GDPR rules. And a processor can also be liable for damage if it goes against the rules laid out by the GDPR or the instructions of the controller.
According to the GDPR, data subjects are entitled to certain rights: data accessibility, data portability, the right to transfer data, and the right to have the data deleted. Controllers (even third-party controllers) are responsible for ensuring these rights are enforced as well as protecting data. Processors have to comply with a strict set of security standards and also assist the controller in addressing data subject rights. Enterprises should determine if third-party suppliers are controllers or processors, and then make sure they are compliant with the GDPR standards for each.
In terms of data breach reporting, the GDPR is very clear. All processors should notify the controller without undue delay after becoming aware of a personal data breach. And if the personal data breach is likely to cause a high risk to the rights and freedoms of the data subject, then the controller also has to inform the data subject without undue delay.
For personal data breaches, the controllers have to inform the supervisory authority within 72 hours of being aware of it. An exception is made if the data breach is unlikely to result in a risk to the rights and freedoms of the data subject. But in that case, reasons for the delay must be given.
Visit our GDPR FAQ page to learn more about how it impacts your business.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.