Third-party vendors are a great asset to a growing business – outsourcing allows organisations to access expertise cost-effectively.
However, in the modern climate of data privacy concerns, using third parties opens companies to legislative and reputational risks. The associated risk of a data breach makes third-party due diligence vital to any organisation dealing with personal data.
Read on to find out:
1. How third-party breaches risk reputational damage
2. Third-party risk under GDPR
3. The risk management process for third-party compliance
Data Breaches and Reputational Risk
Third-party data breaches pose a significant risk to a company’s reputation. Consider these findings from a survey of 7,500 consumers in France, Germany, Italy, the U.K., and the U.S.:
- 69% of consumers said they have or would “boycott an organisation that showed a lack of integrity for protecting customer data,”.
- 62% of consumers said they would blame the company (i.e. the data controller), not the third party if their data were compromised.
Reputational damage caused by third-party data breaches has financial implications too. IBM’s 2019 Cost of a Data Breach Report found that when a third-party vendor causes a data breach, the associated cost of the breach increases by £280,000. Incidentally, cloud migration carries a similar financial risk, costing an additional £226,000.
GDPR and Third-Party Risk Management
Under GDPR, the data controller is responsible for its compliance and the compliance of its data processor. In cases of outsourcing, the third party is the data processor.
The amount of risk an organisation opens itself to when using a third party depends on several factors. These include:
- The sensitivity of personal data
- The volume of data being processed
- The reason the personal data is being processed
- Innovatively processing personal data or using new technology
Organisations can mitigate their risk in the following ways:
- Ensure your organisation is GDPR compliant
- Thoroughly vet all third-party vendors and partners
- Enter data processing agreements with each third-party partner who processes personal data (a requirement under GDPR)
- Regularly audit third-party security controls
- Incorporate risk management processes into your contracts
Risk Management Process for Third-Party Compliance
According to a Soha Systems survey, third-party failure plays a part in 63% of all data breaches. With the stakes so high, it’s important to implement a risk management framework to ensure consistent application of risk assessment.
Phase 1: Planning
Management develops plans to manage relationships with third parties.
Phase 2: Due diligence and third-party selection
The enterprise conducts due diligence on all potential third parties before selecting and entering into contracts or relationships.
Phase 3: Contract negotiation
Management reviews or has legal counsel review contracts before execution.
Phase 4: Ongoing monitoring
Management periodically reviews third-party relationships.
Phase 5: Termination and contingency planning
Management has adequate contingency plans which address steps to be taken in the event of contract default or termination.
Formiti’s outsourced DPO service manages all third-party contracts and due diligence saving you valuable resource time. Contact us for a one-hour obligation-free consultation.