Imagine the scenario. Your business has spent copious time, resources, and energy to ensure your GDPR compliance. All the necessary documentation is in place, your staff has undertaken all required training, and your processes have been signed-off.
Then you receive an email.
One of your third parties has had a data breach and they have lost a significant amount of your customers’ personal data. As the data controller, you are liable for this breach. Now all the effort that your business has expended has now been undermined by the failures of one of your third parties.
Compromised GDPR integrity
Your third parties are part of your business’ GDPR compliance environment, and a weakness among them can compromise your overall GDPR integrity.
Think of it like chainmail. One weak link and the security of the chainmail is undermined. Yet these weaknesses are often left undetected and the risks undiagnosed.
There are several reasons for this.
Firstly, most businesses don’t have an accurate picture of the third parties who are processing their data subjects personal data. Does your business use an outsourced HR and/or payroll company? Both are common third party data processors. How about a travel company for overseas business? Also, third party data processors. Any external cloud-based software providers? Again, these are third party processors.
Second, many contracts between businesses and their data processors either do not contain the necessary protections or are failing to be upheld by the data processor. Your third parties are responsible for protecting the personal data you control and should have the appropriate technical and organizational measures (TOMs) in place. These should be stipulated in the data processing agreement.
Finally, businesses that have (GDPR) contract clauses that enables them to audit their third-parties will rarely/never audit. Whilst your contracts may be watertight, many third parties still fail to adhere to their stipulated protection requirements. This means that any GDPR issue (such as a data breach) could develop in its severity and may result in a particularly nasty surprise for your business. These audits can be done
Case studies: Vodafone Italia and British Airways
In November 2020, Vodafone Italia was issued with a $14.5 million fine after having been found to have violated several articles of the GDPR. A significant portion of these related to the illegal activities of third-party marketing agencies that Vodafone was transferring data to and from, many of whom were not accurately documented.
As the data controller, Vodafone Italia were held accountable by the Italian DPA and ordered to pay the fine – one of the largest the Italian DPA has issued to date.
Watchdog fines aren’t the only financial repercussion of a data breach – Class action lawsuits and data subject compensation can markedly elevate the financial impact of a data breach. Although British Airways were fined £20 million as a consequence of a data breach related to their third parties, it is estimated that the compensation BA has had to pay their data subjects is in excess of £800million. This, combined with the reputational damage suffered, has ensured that BA’s data breach has been a troubling epsiode for their business.
How to mitigate this risk
Mitigating the risk that these third parties pose centres upon understanding this risk in the first place. This cannot be achieved without a clear picture of your third-party data processors.
Identifying the weak links in your supply chain should come hand-in-hand with this picture.
Tacita’s Vendor Risk Management (VRM) service provides this clarity, allowing your business to observe and assess the risks posed by your third parties. Our service provides both a top-down overview of your organization’s risk environment, as well as a more in-depth breakdown of the types and extent of risks posed.
Contact us to see how we can help you assess your third parties!