In just 3 years since GDPR became enforceable over 660 fines and over €290m in penalties have been issued.
Whilst British Airways (€22m) and Marriott International (€20m) have naturally grabbed the front pages with high profile breaches and fines the fact remains that for each and every organisation any breach of Personally Identifiable Information (PII) can result in penalties of up to 4% of Annual Global Revenue or 20 Million Euros – whichever is higher.
With every country in the EU (including the UK) having issued at least 1 fine it seems there is no place to hide. Just look at some headline figures on the size and volume of fines issued by each countries regulatory bodies and authorities shared by HelpNetSecurity.com
(Caution – you may want to hide behind the sofa first)
Nations with the highest fines
- Italy: €76,217,601
- France: €54,661,300
- Germany: €49,186,833
- United Kingdom: €44,221,000
- Spain: €29,372,510
- Sweden: €12,332,430
- Netherlands:€ 5,012,500
- Bulgaria: €3,210,69
- Poland: €1,816,498
- Norway: €1,277,550
Nations with the most fines
- Spain: 222
- Italy: 73
- Romania: 54
- Hungary: 39
- Germany: 30
- Norway: 26
- Belgium: 25
- Czech Republic: 25
- Poland: 23
- Bulgaria: 20
You’re Only As Strong As Your Weakest Link
Whilst organisations have made great strides over the last 36 months to ensure their policies, processes and practices are GDPR compliant, there’s one essential element that many are STILL not fully addressing – GDPR Third Party Data Processor Risk.
Whether PII data is shared and processed by a Third Party for Customer-related (e.g. Sales and Marketing, Credit Checking, Service and Support) or Employee-related (e.g. outsourced HR, Payroll) activity, you as the “data controller” have ultimate responsibility for what happens to it.
“The controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject,” GDPR’s Article 28.
In GDPR verbiage, “data controllers” must ensure the due diligence and security practices of the Third Party data processors they share PII data with, AND, crucially assume joint responsibility for what happens to it. So if you think you’ve got GDPR and your Third Parties completely covered just ask yourself:
Do we have a full and complete register of ALL Third Party IT suppliers, what they do and the contracts we have in place? Especially those that would fall under the remit of “data processors” and/or requiring GDPR compliance?
How likely is it we have an external supplier providing a data processing application or service that has not gone through your formal vetting process? This could be a web app, telemarketing agency, lead generation email service, payment processor, cloud-based service etc.
How confident are we that your Sales, Marketing, HR, Payroll or other internal department haven’t signed up to a Third Party service provider that has not provided any assurance or contractual obligation to deliver the minimum levels of data privacy and security GDPR demands?
So, do you still think you’ve covered all your Third Party bases?
DVV Solutions’ GDPR Third Party Risk Assessments will help to fill the gap in many GDPR programs where the assurance and compliance of Third Party data processors is often left down to a basic check and update of contractual terms – and though important, contractual commitments only helps to identify liability after a breach and potentially significant financial and reputational damage has occurred.
In line with the ICO’s guidance for implementation of “best-practice” the GDPR Third Party Risk Assessment develops a more proactive approach to GDPR compliance – identifying risks and issues and allowing both parties to work together to mitigate any clearly validated risks before, rather than after the fact.
Visit our GDPR Third Party Risk Assessment page to find out more or:
Call Us: +44 (0) 161 476 8700
Contact Us: Complete our Contact Form, or
For the latest information GDPR regulation and compliance DVV Solutions suggests visiting the Information Commissioner’s Office (ICO) dedicated website.