December 2, 2019

You Know What Is GDPR, but Do Your Vendors Know?

by Danka Mihajlovic

Although not all entrepreneurs welcomed GDPR with open arms, it is an obligation and part of the business routine for more than a year. The new regulation made handling consumer data more complex and expensive, but on the other hand, it helped customers gain a greater level of control over their data. Companies must take the required steps to protect citizens’ data in their care, but that’s not where the story ends. The GDPR clearly states that if a company has any third-party contracts which involve the processing of personal data, then those partners also need to ensure GDPR compliance.

GDPR fines await those who don’t comply

After the infamous Magecart group used card skimming script to extract confidential data from around 380.000 British Airways customers over two weeks, the UK's data protection authority (ICO) fined BA ~€204 million. This record-high fine came as a result of “poor security arrangement at the company”, as ICO stated in its statement. It was the first fine which was drastically higher than those under prior regulations.  It guaranteed stricter GDPR fines policy onwards.

GDPR Enforcement Tracker keeps track of all public fines and penalties which data protection authorities within the EU have imposed under the GDPR. The list is constantly getting longer. It is obvious from the list that failing to check whether third-party processors are GDPR compliant means costly fines for businesses. In some cases, violators of the GDPR may be fined up to €20 million or up to 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher. And that’s just for one breach.

Third-parties are typical of the way most companies process confidential data. It may include the whole spectrum - from cloud platforms, cloud-hosted finance, HR applications to advertising agencies and web analytics software. Third-party ecosystem carries a significant amount of risk for a controller (primary organizations), considering that according to the results of Opus & Ponemon Institute research almost 60% of the last year data breaches in the US companies can be traced back to third-party affiliations.

On the other hand, third-parties are also an important source of business value and strategic advantage. As the need for the third-parties continues to grow, so do the associated risks. Those risks in the final act can bring reputational damage or financial loss to the company.

Mitigating third-party risk

To obtain true protection for users the company must manage and keep under control its third parties. In an ideal case, organizations transfer their data protection policies and procedures to its third-parties and then monitor proper compliance.

As GDPR’s main concern is how to protect individuals and their sensitive data, possible financial and reputational damage for companies relate to how sensitive the breached data was, and not where particularly in handling chain data was leaked. That means that primary organizations can’t excuse themselves and point fingers to third parties if a data breach happens. Third-party risk must be dealt with proactively, making sure that compliance is taken seriously.

The first step in that direction is an independent external assessment. Investigation of the internet security posture of a third-party will reveal any apparent problems, but also the way that the company’s present or future partners relate to data security. Collecting external data about the vendor’s security habits is essential when considering its reliability and should come before any inner look into the vendor’s technologies and processes.

It is important to be aware that certain overlooking in this early stage may lead to very big and unwanted consequences including high GDPR fines and reputational damage. The choice of the right tool for external assessment is crucial for keeping sensitive data away from malicious attackers. ABSTRACT provides comprehensive insight in one’s cybersecurity standings, inventory of web applications and infrastructure, as well as other critical business data.

Recent researches say that hackers are aware that your third-parties may be your biggest weakness. Don’t let the hackers outsmart you.