GDPR & Third-Party Vendor Compliance


Third-party vendors are a great asset to a growing business – outsourcing allows organisations to access expertise cost-effectively.

However, in the modern climate of data privacy concerns, using third parties opens companies to legislative and reputational risks. The associated risk of a data breach makes third-party due diligence vital to any organisation dealing with personal data.

Read on to find out:

1. How third-party breaches risk reputational damage

2. Third-party risk under GDPR

3. The risk management process for third-party compliance

Data Breaches and Reputational Risk

Third-party data breaches pose a significant risk to a company’s reputation. Consider these findings from a survey of 7,500 consumers in France, Germany, Italy, the U.K., and the U.S.:

  • 69% of consumers said they have or would “boycott an organisation that showed a lack of integrity for protecting customer data,”.
  • 62% of consumers said they would blame the company (i.e. the data controller), not the third party if their data were compromised.

Reputational damage caused by third-party data breaches has financial implications too. IBM’s 2019 Cost of a Data Breach Report found that when a third-party vendor causes a data breach, the associated cost of the breach increases by £280,000. Incidentally, cloud migration carries a similar financial risk, costing an additional £226,000.

GDPR and Third-Party Risk Management

Under GDPR, the data controller is responsible for its compliance and the compliance of its data processor. In cases of outsourcing, the third party is the data processor.

The amount of risk an organisation opens itself to when using a third party depends on several factors. These include:

  • The sensitivity of personal data
  • The volume of data being processed
  • The reason the personal data is being processed
  • Innovatively processing personal data or using new technology

Organisations can mitigate their risk in the following ways:

  • Ensure your organisation is GDPR compliant
  • Thoroughly vet all third-party vendors and partners
  • Enter data processing agreements with each third-party partner who processes personal data (a requirement under GDPR)
  • Regularly audit third-party security controls
  • Incorporate risk management processes into your contracts

Risk Management Process for Third-Party Compliance

According to a Soha Systems survey,  third-party failure plays a part in 63% of all data breaches. With the stakes so high, it’s important to implement a risk management framework to ensure consistent application of risk assessment.

Phase 1: Planning

Management develops plans to manage relationships with third parties.

Phase 2: Due diligence and third-party selection

The enterprise conducts due diligence on all potential third parties before selecting and entering into contracts or relationships.

Phase 3: Contract negotiation

Management reviews or has legal counsel review contracts before execution.

Phase 4:  Ongoing monitoring

Management periodically reviews third-party relationships.

Phase 5: Termination and contingency planning

Management has adequate contingency plans which address steps to be taken in the event of contract default or termination.

Formiti’s outsourced DPO service manages all third-party contracts and due diligence saving you valuable resource time. Contact us for a one-hour obligation-free consultation.



Source link

Author: Formiti Data Privacy Consultancy Blog

Leave a Reply

Your email address will not be published. Required fields are marked *