Skip to content
Thomson Reuters

GDPR: addressing third-party risks

With 2018 now underway, the looming introduction of the General Data Protection Regulation (GDPR) is drawing ever closer. When the GDPR goes into effect on 25 May 2018, it will represent the most significant development in European Union (EU) data protection law in almost 20 years.

An example of an important change is in Article 28 which mandates that any company doing business in the EU is responsible for all third parties that are processing personal data on behalf of the company. If a company fails to comply with the GDPR they face potentially large fines – up to an amount that is the greater of €10 million or two percent of their global annual turnover, penalties and litigation fees.

A recent webinar hosted by Thomson Reuters, GPDR: Legal’s Role in Addressing Third-Party Processor Risks, looked specifically at how legal departments will play a critical role in conducting and monitoring vendor due diligence in response to the sweeping new measures.

To listen to the webinar, GPDR: Legal’s Role in Addressing Third-Party Processor Risks, click here 

Addressing the impact of the GDPR, the webinar highlighted that the buck will ‘essentially stop at the door’ of the company’s in-house legal team if there is a data breach, even if it was caused by a sub-contractor of a third-party data processor. One of the webinar panellists, Susanna McDonald, Associate General Counsel and Senior Director of Compliance of the US-based Association of Corporate Counsel, added that the ‘stakes are getting higher’, warning that legal teams have to be ready to meet the regulatory obligations.

McDonald said: “If you’re a data controller or a data processor, you’re responsible for ensuring that you and all of your vendors are meeting the GDPR requirements. Regulators aren’t going to be very forgiving when you try to point your finger at your vendor.”

The panel continued to acknowledge the importance of comprehensive vendor due diligence throughout the webinar, highlighting how crucial it is viewed in the eyes of the regulator. Beth Magnuson, Senior Legal Editor on Privacy and Data Security for Thomson Reuters Practical Law, said that ignoring the risks that subcontractors pose to personal data creates a huge hole in a security program, adding: “GDPR accountability requires knowledge and understanding. If you don’t know who can access the personal data controlled by your company, you don’t really have control over it.”

Rebecca Perry, Director of Professional Services for Jordan Lawrence, an IT service management firm, concurred, and said: “GDPR explicitly makes your company responsible for third-party processors as well as their sub-processors, who are your fourth-party risks.

“And GDPR compliance isn’t a one-and-done effort. Compliance is ongoing and will require systematic and routine risk assessments for your third-party vendors,” she said.

Perry’s three vendor risk assessment standards:

  1. Vendor risk profile: to document vendor relationships and surface hidden risks.
  2. Comprehensive risk standard: to assess vendors that surface as relevant to GDPR or that require a higher level of scrutiny.
  3. Law firm standard: to assess law firms, operating in the US, against the ACC Model Information Protection Controls.

The panel also explored the additional impact created by the introduction of the GDPR, including the increased risk for potential litigation and higher fines.

The panel noted that Article 77 and Article 82 were among the key GDPR provisions − both of which should be firmly on the radar of the in-house legal department.

  • Article 77: gives the right to anyone – from current and former employees to clients – to lodge complaints with data protection authorities if they feel their rights have been infringed.
  • Article 82: essentially gives anyone suffering material or non-material damage as a result of a GDPR infringement, the right to receive compensation from a data controller or data processor for damages suffered.

Discussing the prospect of steeper fines, McDonald stressed that this is the ‘biggest risk’ posed by the introduction of the GDPR, adding that it could trigger a ‘tidal wave of litigation and settlements.’

Meanwhile, another panellist, Rebecca Thorkildsen, Global Director of Legal Solutions at Thomson Reuters Legal Managed Services, advised legal teams to look at existing vendor contracts in a bid to establish which ones need to be revisited in order to become GDPR compliant. She added: “You may need to reach out to different parts of your business — functions like procurement or marketing, for example, who may be the sole owners of the contracts and associated relationships.”

One approach to assessing existing vendor contracts would be to consider using tools like automated extraction engines, Thorkildsen suggested, as ‘that can pull key data points from lengthy documents, such as whether a contract expires before the GDPR deadline or where the data subjects exist.’ For further efficiencies, repapering may be automated by generating amendments, leveraging the data extracted and selecting the most appropriate clause based on the clauses and context uncovered.

However, the panel also highlighted that law firms need to step up their own protections as well. There has been a swathe of law firm breaches in recent years, with some estimates noting that 40 percent of those affected weren’t aware they had been breached at the time.

To listen to the webinar in full click here.

Privacy Act 2020—New Zealand lifts compliance standard The Hearing: Episode 56 – Chris Mohr Companies struggle with GDPR and global privacy—a report Data privacy, drones and corporate espionage—keeping up with legislation Cybersecurity at the centre—competing globally with different rules GDPR: how have organisations adjusted and what’s on the horizon? Risk and compliance function continues to grow in profile and sophistication Combating cybercrime: does the law need to catch up? GDPR: how will it impact the Bar? GDPR: the new data-protection laws give watchdogs a powerful bite