GDPR and Third Party Risk
Like most organisations, to comply with GDPR you must overhaul and update a number of internal processes and systems, but you can’t ignore a critical area in GDPR: risk from Third Parties such as contractors, partners, suppliers and service providers.
In GDPR terms, as a “data controller” you must perform due diligence on the “data processors” to whom you outsource the processing of Personally Identifiable Information (PII) data. The key issue is that you also assume joint responsibility should one of your Third Parties be breached. Failure of your Third Party data processor to adhere to GDPR requirements means the maximum fine of €20m or 4% of annual global revenue applies to both your Third Party AND YOU!
But how exactly do you assess and validate each Third Party’s compliance with GDPR? How do you know they are capable of fulfilling the GDPR requirements of data privacy and security you express in your contracts and agreements?