GDPR was all anyone seemed to talk about once upon a time but in the few years since its inception, it has started to fade into the background. Most companies made sure their security was where they thought it needed to be and moved on. The problem with this is twofold. Firstly, your cyber security measures should be ongoing to keep up with changing threats. And secondly, and the focus of this post, if you use third parties to process data any lapses in their security could cost you so you need to monitor their security too.
What Is GDPR (A Quick Refresher)
GDPR, short for General Data Protection Regulation, is an EU-wide regulation which introduced more stringent regulations on the collection and use of an individual’s private data. You can find full details of what is required by GDPR in this Guide to GDPR.
Your Responsibility For Third Party Security
You may assume that if the third party is at fault they should face the consequences. They will, but so could you. Even if you outsource data processing activities you are still the data controller. The third party is a data processor. It is a subtle distinction but an important one because it could mean their poor security could cost you significantly.
The Cost Of A GDPR Breach
Fines for GDPR breaches can be as high as 20 million euros or 4% of annual global turnover. A fine of this size is a huge deal. The fact that something so significant could occur due to someone else’s poor cyber security may seem worrying, however, if you do your due diligence you can protect your company and its customers. It is important to remember that whether you attempted to protect customer data and whether breaches were intentional or accidental (among other factors) are considered when determining fines.
There have been several large fines issued relating to GDPR and third parties. The Cambridge Analytica scandal saw Facebook incur many fines from various countries, including a pre-GDPR fine of £500,000 from the UK. With the GDPR ruling in place, British airways were fined £183 million for a breach which was a result of third-party software.
How You Should Handle Third-Party Security
You may be responsible for any third-party data processors’ security but that doesn’t mean you have control over it. Here are a few steps you can take to better ensure your customers’ data is safe when being processed by third parties. Firstly, research the third party’s cybersecurity standards. If they do not meet the necessary standards have them confirm, in writing, the measures they will take to improve their security. If they cannot make adequate improvements find a different processor.
Following this, whether you stay with the same data processor or change to a different one, sign a contract in which they agree to the following:
- They will only process data authorised by you (as the data controller you decide which data is processed.)
- They will not employ sub contractors without your prior approval
- They will delete and return all data at the end of the contract term
Cybercriminals are continually finding new ways to harvest data. With large fines being a very real threat, it is more important than ever to protect your users’ data with continual cyber security. Both you and your third parties should undergo routine cyber security audits and make sure your employees are properly trained. From a phishing assessment and dark web monitoring to advanced endpoint protection, there are plenty of ways for you and your third parties to protect your web visitors’ data.