This month we have spoken extensively about GDPR readiness, in time for the new regulations effective as of 25th May 2018. So far we have covered the essential elements of what you need to know, ensuring your data is compliant, and the protocol you need to follow when a data breach does happen. There is one more vital component you need to consider in line with the legislation, and that is the third-party suppliers with whom you share your customer's personal data.
Reportedly 63% of data breaches are down to errors made by third-party suppliers; mistakes that your business would be accountable for. Considering the penalty for severe cases is 4% of your annual global turnover or €20 million - whichever value is more significant - these are pretty costly mistakes. Granted, a lot of the proposed penalty fares are mostly just journalism scare tactics. However, the risk of disciplinary action and reputation damage is still something to take seriously.
There are a number of ways to carry out the necessary due diligence on your third-party vendors’ processes. The first step is to minimise who you share your data with. Do your vendors really need the full access they have or are there ways you can streamline and reduce their access? Once you have lessened the number of opportunities for a breach by reducing access, you are left with a much more manageable smaller selection of businesses to inspect. It is vital that you do not to take your vendors at their word that they take compliance seriously and so it is your responsibility to clearly outline the activities in which they need to be compliant and have a signed contract from them to confirm their compliance by 25 May 2018.
Once data is outsourced, you have no control over where that information is passed onto, and so in your agreement, you need to state that your vendors will not further share the information unless otherwise agreed in writing. With their internal staff, you need to make sure extensive background checks have been carried out for all staff members; including credit checks, previous employment and criminal records.
Carrying out the necessary due diligence and having a paper trail to prove you have done so gives your business a stronger case to show you have made every attempt possible to prevent a data breach. Ensuring your third-party suppliers are compliant is just one the ways you can make your business GDPR ready for May.
For further help and advice on making your business compliant and making changes to your existing technology, please get in touch. Whether it's carrying out a data privacy impact assessment, or help and advice reviewing your current set up and how you can do things differently, Tandem can help you. We work closely with you to determine what services make sense for you, ensuring that you have a solution tailored to your needs: giving you complete peace of mind. Contact us today.