Fears over GDPR liability when using third parties

A leading expert in data management and GDPR warns companies to urgently check whether they may be in breach of new regulations.

Image credit: iStock
Image credit: iStock

GDPR expert Bruce Smith from Tenax Analytics offered stark advice amid revelations that companies could feel the full weight of the law if vendors they use for registration services or travel agencies were found to not be GDPR compliant. 

With the threat of fines of up to €20 million or a percentage of global profit as sanctions available to the Information Commissioner, Smith cited figures at IBTM in Barcelona from a recent RSA conference on security.

"What can happen is that you may have all of your systems as GDPR compliant when it comes into effect," said Smith. "But if you are not watching out for what your contracted vendors are doing to make sure that they have assured you that they are compliant with the GDPR and have followed all the procedures.

"They could be more vulnerable, which would then make you all more subject to risk, if something happened to them, processing their information. It means the data subject (individual) could go after both of you, and you’d both be liable because you (as the controller) have not done your due diligence."

Statistics from an RSA Conference session - called 'Combatting Cyber Risk in the Supply Chain' - revealed that 76% of all data breaches come from the introduction of security deficiencies by a third party. It was also claimed that companies are "more concerned than ever with the reputation of their vendors". 

Smith says that there are two parts to GDPR - one is a role of controller, one is of a processor of data.

"You can be both roles, depending on the task. You can be a controller of some information and a processor of others, and you can have third-party vendors in our industry, where they are processors of data. You might outsource your travel to a travel agency, or to a registration service where they become processors for you.

"The problem arises when companies do not think to check that their vendors have not made sure they are GDPR compliant which means that an individual could challenge both firms in the courts.

"What can happen is that you may have all of your systems GDPR compliant when it comes into effect," Smith added.

"But if you are not watching out for what your contracted vendors are doing, they could be vulnerable, which would then make you all more subject to risk, if something happened to them. It means the data subject (individual) could go after both of you, and you’d both be liable because you (as the controller) have not done your due diligence."

Smith says there are simple questions that can be asked that give an idea of where each vendor is in the preparation for GDPR.

From that, it is possible can see whether a vendor is ready, or taking steps to be ready or whether a vendor is really not even paying attention to GDPR. 

 

For more features and breaking news sign up to C&IT Magazine's daily News Tracker.

Have you registered with us yet?

Register now to enjoy more articles
and free email bulletins.

Register now
Already registered?
Sign in
Deadline extended for the C&IT Awards Americas

Deadline extended for the C&IT Awards Americas

As C&IT expands its reach globally, we've launched the C&IT Awards Americas to recognise the best in US events.

Unicorn Events closes due to COVID-19 challenges

Unicorn Events closes due to COVID-19 challenges

Agency MD Hannah Luffman says the business will close while it is still possible to pay staff in full.

How the UK government is supporting the hospitality and events sector

How the UK government is supporting the hospitality and events sector

Suggestions of an extended lockdown period are adding pressure to the events sector, says University of Derby's Brendan Moffett.

LIVE UPDATES: Cannes Lions goes from postponed to cancelled

LIVE UPDATES: Cannes Lions goes from postponed to cancelled

All the latest postponements and cancellations as the world deals with the spread of coronavirus.

Furlough: The new F-word

Furlough: The new F-word

Recently furloughed creative director Dave Leong explains the thinking that’s helping him navigate tricky times.

‘Virtual event providers have been opportunistic’

‘Virtual event providers have been opportunistic’

Think carefully about going virtual if your event can be postponed to later in the year, says Shaumik Saha from Stride Plus Events.

Events company helps build temporary hospital in Berlin

Events company helps build temporary hospital in Berlin

PRG's teams in Germany and the US are supporting health workers on the frontline in the fight against COVID-19.

How venues can rise to the challenge of coronavirus

How venues can rise to the challenge of coronavirus

Be flexible with your payment terms or cancellation policies, says Katie Roberts at National Museums Liverpool.

Dear C&IT: Mental health first-aiders could help events staff in need

Dear C&IT: Mental health first-aiders could help events staff in need

Two readers call for a greater focus on mental wellbeing in the events industry.

Zoom responds to privacy and security concerns

Zoom responds to privacy and security concerns

The video conferencing app is under scrutiny as its popularity surges during the coronavirus pandemic.