The EU General Data Protection Regulation (GDPR) seeks to strengthen how companies handle the valuable personal data they are responsible for, whether they collect and process the data or contract a third party. So when it comes to managing and securing this flow of valuable data, one important question is: Where are the weak links?
One of the more common ways cybercriminals attack larger organizations is by targeting trusted third-party suppliers that have fewer and laxer security controls. And looking into this area is critical since many enterprises share data with other organizations without any visibility. A 2017 study by the Ponemon Institute revealed that 57 percent of respondents don’t have an inventory of the third parties they share information with, and 82 percent don’t know if their sensitive data was shared with a fourth or even a fifth party.
In the same survey, at least 56 percent of the respondents experienced a third-party data breach in 2017. This is a serious issue for enterprises because, under the GDPR, an organization can be held liable for supply chain breaches or compromises. On average, one breach alone costs U.S. companies $7.3 million in fines, remediation, and loss of customers.
Third-party suppliers can include marketing teams and law firms or even delivery services and freelance workers — any entity that collects or processes the data of customers, contacts, or employees. Outsourced IT backend processes such as cloud storage are also covered. Over the years we’ve seen some serious cases where organizations overlooked the security of these suppliers and became victims of a data breach.
Who can be held liable for GDPR infringements?
A data controller can share in the liability of data processing leaks. For example, if a marketing firm suffers a data breach that results in leaked email accounts and phone numbers, the enterprise that hired the marketing firm and shared data with them can be held liable. To be exempt from liability, an enterprise has to prove that they were not in any way responsible for the event and that they exercised due diligence.
There are two tiers of fines for controllers and processors that infringe on the GDPR — the largest fine is 20,000,000 euros or up to 4 % of the total worldwide annual turnover.
More generally, a controller can be liable for the damage caused by data processing and handling that goes against the GDPR rules. And a processor can also be liable for damage if it goes against the rules laid out by the GDPR or the instructions of the controller.
What responsibilities should your third-party suppliers be aware of?
According to the GDPR, data subjects are entitled to certain rights: data accessibility, data portability, the right to transfer data, and the right to have the data deleted. Controllers (even third-party controllers) are responsible for ensuring these rights are enforced as well as protecting data. Processors have to comply with a strict set of security standards and also assist the controller in addressing data subject rights. Enterprises should determine if third-party suppliers are controllers or processors, and then make sure they are compliant with the GDPR standards for each.
In terms of data breach reporting, the GDPR is very clear. All processors should notify the controller without undue delay after becoming aware of a personal data breach. And if the personal data breach is likely to cause a high risk to the rights and freedoms of the data subject, then the controller also has to inform the data subject without undue delay.
For personal data breaches, the controllers have to inform the supervisory authority within 72 hours of being aware of it. An exception is made if the data breach is unlikely to result in a risk to the rights and freedoms of the data subject. But in that case, reasons for the delay must be given.
What should you do to prepare?
Six Things to Ask Your Suppliers: Are you GDPR compliant? Where is my data processed or collected? Do you transfer data or farm out processing to other companies? Who can access my data? Where and why? How is my data secured? Do you have breach notification procedures in place?
Map your data! Understand where your data is, and what any third party does with it. Are these third parties controllers or processors? You should also know exactly where your data is stored and processed.
Exercise due diligence — assess all the third parties that collect or process data for you. Do they have breach reporting policies? Are they GDPR compliant? Do they have proper security?
If your suppliers suffer a data breach, what happens? Assess the risks and figure out what you are liable for in that scenario.
Make sure you provide only minimal data required to suppliers.
Review initial agreements or contracts with third parties. You may need to revise the requirements to stay compliant with the GDPR.
Start evaluating and planning the switch to GDPR-compliant solution providers if your current solution providers do not have plans to be GDPR compliant by May.
Visit our GDPR FAQ page to learn more about how it impacts your business.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).