GDPR expert Bruce Smith from Tenax Analytics offered stark advice amid revelations that companies could feel the full weight of the law if vendors they use for registration services or travel agencies were found to not be GDPR compliant.
With the threat of fines of up to €20 million or a percentage of global profit as sanctions available to the Information Commissioner, Smith cited figures at IBTM in Barcelona from a recent RSA conference on security.
"What can happen is that you may have all of your systems as GDPR compliant when it comes into effect," said Smith. "But if you are not watching out for what your contracted vendors are doing to make sure that they have assured you that they are compliant with the GDPR and have followed all the procedures.
"They could be more vulnerable, which would then make you all more subject to risk, if something happened to them, processing their information. It means the data subject (individual) could go after both of you, and you’d both be liable because you (as the controller) have not done your due diligence."
- If you’re interested in GDPR, don't miss C&IT’s special GDPR roadmap series of events kicking off in March. Find out more information and how to book.
Statistics from an RSA Conference session - called 'Combatting Cyber Risk in the Supply Chain' - revealed that 76% of all data breaches come from the introduction of security deficiencies by a third party. It was also claimed that companies are "more concerned than ever with the reputation of their vendors".
Smith says that there are two parts to GDPR - one is a role of controller, one is of a processor of data.
"You can be both roles, depending on the task. You can be a controller of some information and a processor of others, and you can have third-party vendors in our industry, where they are processors of data. You might outsource your travel to a travel agency, or to a registration service where they become processors for you.
"The problem arises when companies do not think to check that their vendors have not made sure they are GDPR compliant which means that an individual could challenge both firms in the courts.
"What can happen is that you may have all of your systems GDPR compliant when it comes into effect," Smith added.
"But if you are not watching out for what your contracted vendors are doing, they could be vulnerable, which would then make you all more subject to risk, if something happened to them. It means the data subject (individual) could go after both of you, and you’d both be liable because you (as the controller) have not done your due diligence."
Smith says there are simple questions that can be asked that give an idea of where each vendor is in the preparation for GDPR.
From that, it is possible can see whether a vendor is ready, or taking steps to be ready or whether a vendor is really not even paying attention to GDPR.
For more features and breaking news sign up to C&IT Magazine's daily News Tracker.
Have you registered with us yet?
Register now to enjoy more articles
and free email bulletins.