Fears over GDPR liability when using third parties

A leading expert in data management and GDPR warns companies to urgently check whether they may be in breach of new regulations.

Image credit: iStock
Image credit: iStock

GDPR expert Bruce Smith from Tenax Analytics offered stark advice amid revelations that companies could feel the full weight of the law if vendors they use for registration services or travel agencies were found to not be GDPR compliant. 

With the threat of fines of up to €20 million or a percentage of global profit as sanctions available to the Information Commissioner, Smith cited figures at IBTM in Barcelona from a recent RSA conference on security.

"What can happen is that you may have all of your systems as GDPR compliant when it comes into effect," said Smith. "But if you are not watching out for what your contracted vendors are doing to make sure that they have assured you that they are compliant with the GDPR and have followed all the procedures.

"They could be more vulnerable, which would then make you all more subject to risk, if something happened to them, processing their information. It means the data subject (individual) could go after both of you, and you’d both be liable because you (as the controller) have not done your due diligence."

Statistics from an RSA Conference session - called 'Combatting Cyber Risk in the Supply Chain' - revealed that 76% of all data breaches come from the introduction of security deficiencies by a third party. It was also claimed that companies are "more concerned than ever with the reputation of their vendors". 

Smith says that there are two parts to GDPR - one is a role of controller, one is of a processor of data.

"You can be both roles, depending on the task. You can be a controller of some information and a processor of others, and you can have third-party vendors in our industry, where they are processors of data. You might outsource your travel to a travel agency, or to a registration service where they become processors for you.

"The problem arises when companies do not think to check that their vendors have not made sure they are GDPR compliant which means that an individual could challenge both firms in the courts.

"What can happen is that you may have all of your systems GDPR compliant when it comes into effect," Smith added.

"But if you are not watching out for what your contracted vendors are doing, they could be vulnerable, which would then make you all more subject to risk, if something happened to them. It means the data subject (individual) could go after both of you, and you’d both be liable because you (as the controller) have not done your due diligence."

Smith says there are simple questions that can be asked that give an idea of where each vendor is in the preparation for GDPR.

From that, it is possible can see whether a vendor is ready, or taking steps to be ready or whether a vendor is really not even paying attention to GDPR. 

 

For more features and breaking news sign up to C&IT Magazine's daily News Tracker.

Have you registered with us yet?

Register now to enjoy more articles
and free email bulletins.

Register now
Already registered?
Sign in
What's new at IBTM World 2019

What's new at IBTM World 2019

David Thompson, event director for IBTM World, talks about what's being planned this year in Barcelona.

Experience12 hires new account manager

Experience12 hires new account manager

Holly Carters joins from MediaCom where she worked with clients including Coca-Cola and Peugeot.

My Dream Event: no phones, Disney raps and Not Giving a F*ck

My Dream Event: no phones, Disney raps and Not Giving a F*ck

Hannah Spurdle, account manager at GOTO Events, would have her guests celebrating until the early hours.

What made Belfast the Best Events Destination of 2019?

What made Belfast the Best Events Destination of 2019?

Visit Belfast took home a C&IT Award in a year full of accolades, development and economic growth.

ICC Sydney: More Than a Venue

BCD M&E acquires L37 Creative

BCD M&E acquires L37 Creative

Acquisition of Chicago-based event production agency will strengthen BCD M&E's US capabilities.

England Rugby's head coach reveals how long meetings should actually be

England Rugby's head coach reveals how long meetings should actually be

Eddie Jones explains why shorter meetings with clear messages are a winning formula in sport and business.

Case study: Close Brothers' Salesforce Conference

Case study: Close Brothers' Salesforce Conference

UKSV organised an event in Manchester for 200 delegates, to familiarise them with new sales software.

7 all-in-one resorts for incentives

7 all-in-one resorts for incentives

A selection of venues around the world that provide everything you need in one place.

UK SMEs wasting an average of £125,347 a year on failed recruitment

UK SMEs wasting an average of £125,347 a year on failed recruitment

Survey finds that 94% report a problem with candidates pulling out after accepting an offer.

LATEST JOBS