Fears over GDPR liability when using third parties

A leading expert in data management and GDPR warns companies to urgently check whether they may be in breach of new regulations.

Image credit: iStock
Image credit: iStock

GDPR expert Bruce Smith from Tenax Analytics offered stark advice amid revelations that companies could feel the full weight of the law if vendors they use for registration services or travel agencies were found to not be GDPR compliant. 

With the threat of fines of up to €20 million or a percentage of global profit as sanctions available to the Information Commissioner, Smith cited figures at IBTM in Barcelona from a recent RSA conference on security.

"What can happen is that you may have all of your systems as GDPR compliant when it comes into effect," said Smith. "But if you are not watching out for what your contracted vendors are doing to make sure that they have assured you that they are compliant with the GDPR and have followed all the procedures.

"They could be more vulnerable, which would then make you all more subject to risk, if something happened to them, processing their information. It means the data subject (individual) could go after both of you, and you’d both be liable because you (as the controller) have not done your due diligence."

Statistics from an RSA Conference session - called 'Combatting Cyber Risk in the Supply Chain' - revealed that 76% of all data breaches come from the introduction of security deficiencies by a third party. It was also claimed that companies are "more concerned than ever with the reputation of their vendors". 

Smith says that there are two parts to GDPR - one is a role of controller, one is of a processor of data.

"You can be both roles, depending on the task. You can be a controller of some information and a processor of others, and you can have third-party vendors in our industry, where they are processors of data. You might outsource your travel to a travel agency, or to a registration service where they become processors for you.

"The problem arises when companies do not think to check that their vendors have not made sure they are GDPR compliant which means that an individual could challenge both firms in the courts.

"What can happen is that you may have all of your systems GDPR compliant when it comes into effect," Smith added.

"But if you are not watching out for what your contracted vendors are doing, they could be vulnerable, which would then make you all more subject to risk, if something happened to them. It means the data subject (individual) could go after both of you, and you’d both be liable because you (as the controller) have not done your due diligence."

Smith says there are simple questions that can be asked that give an idea of where each vendor is in the preparation for GDPR.

From that, it is possible can see whether a vendor is ready, or taking steps to be ready or whether a vendor is really not even paying attention to GDPR. 

 

For more features and breaking news sign up to C&IT Magazine's daily News Tracker.

Have you registered with us yet?

Register now to enjoy more articles
and free email bulletins.

Register now
Already registered?
Sign in
How events can save the world

Crisis planning, sustainability, wellbeing and inclusion can cause difficulties for event organisers. So is it possible to host a truly ethical event?

Wellbeing makes 'good business sense'

Wellbeing makes 'good business sense'

Annie Metcalfe from Clear Partners says planners must adapt to the changing demands of incentive travel programmes.

Amex GBT appoints new general manager for meetings and events

Amex GBT appoints new general manager for meetings and events

Gerardo Tejado has held a number of commercial and client management roles at American Express GBT over the past 17 years.

Incentives are coming: 7 Game of Thrones-inspired destinations

Incentives are coming: 7 Game of Thrones-inspired destinations

From Croatia to Northern Ireland, the fictional land of Westeros has filming locations around the world ideal for meetings and events.

What does an HR expert look for in Best Places to Work accreditation?

What does an HR expert look for in Best Places to Work accreditation?

An independent HR consultant explains what judges are looking for in accreditation like C&IT's Best Places to Work.

Events budgets return to steady growth, Bellwether Report finds

Events budgets return to steady growth, Bellwether Report finds

UK companies increased their marketing spend in Q1 2019, in contrast to flatlining budgets at the end of last year.

'Unlocking the best parts of destinations' is key for event planners

'Unlocking the best parts of destinations' is key for event planners

Venues should use their expertise to help familiarise planners with a new destination, says panel at the C&IT Association Forum.

Case study: CoinGeekWeek conference

Case study: CoinGeekWeek conference

CoinGeek transformed The Mermaid London for its three-day conference on cryptocurrency and blockchain.

New senior account manager for Top Banana

New senior account manager for Top Banana

Natalie Benson joins from ACA Live and will work on finance, automotive and retail accounts.

Facial recognition will change the way we measure audience engagement

Facial recognition will change the way we measure audience engagement

This kind of technology could scientifically prove the value and impact of events, says Dan Broadberry from Brands at Work.

LATEST JOBS