GDPR – not long to go. Have you addressed third-party data processor risks?
On May 25th 2018 the biggest change to data protection law in 20 years will kick in. The EU General Data Protection Regulation (GDPR).
You know the risks. Any breach of Personally Identifiable Information (PII) can result in new penalties of fines of up to 4% of Annual Global Revenue or 20 Million Euros – whichever is higher.
Most companies that are impacted have compliance initiatives underway. However, there’s one essential element that many are STILL not fully addressing – GDPR Third Party Data Processor Risk.
Whether PII data is shared and processed by a Third Party for Customer-related (e.g. Sales and Marketing, Credit Checking, Service and Support) or Employee-related (e.g. outsourced HR, Payroll) activity, you as the “data controller” have ultimate responsibility for what happens to it.
“The controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject,” GDPR’s Article 28.
In GDPR verbiage, “data controllers” must ensure the due diligence and security practices of the Third Party data processors they share PII data with, AND, crucially they (that means YOU!) assume joint responsibility for what happens to it. This means that YOU will be held liable if one of your chosen Third Party data processor gets breached as a result of them failing to meet GDPR requirements and your Customer or Employee PII data gets compromised.
Read the full article here.