It is normal for SMEs to use the services of an outsourced IT company to provide them with the business support they need. However, they must also consider compliance as an essential part of this support.
There are serious implications if you work with a non-compliant partner and share personal data with them.
Consequently, as part of your own approach to GDPR you must also assess your IT partner’s preparedness for compliance.
Under GDPR, there is clear instruction about working with third parties, when it comes to personal data sharing. Section 28 of the regulation states that data controllers shall:
Use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the data rights of the subject.
The protection of personal data is key here. What this statement implies is that if you outsource to a third party, you need to do your due diligence to guarantee that they comply with GDPR.
What might a third party or partner be using this shared data for?
Typically, it could be employee-related, such as payroll or outsourced HR, or it could be customer-related, to do with credit checking, sales and support or marketing activity.
There is joint responsibility for managing personal data where, if your third party supplier or partner turns out to be non-compliant, you will still be held responsible for any breach in GDPR
Reportedly, a large proportion of IT security breaches are through third parties. This rise comes with organisations having an increasing dependence on third parties to manage large amounts of personal data.
As a business, you are only as strong as your weakest link, and this weakness may be actually outside your organisation.
Face the Consequences
A data processor is anyone who handles the personal data you hold belonging to customers, employees or others.
Any breach in security from your data processor will have an impact on your business.
There are clear GDPR penalties, and they apply per breach. This means they could stack up if your data processing partner fails to fix things, or if you have more than one third party processing your data
However, while these financial penalties can mount up, the reputational risks may be higher and more impactful in the long-term.
If you lose the trust of your customers, or your employees, this can be hard to get back. Your business brand could be damaged irretrievably by a data breach that is due to the negligence or carelessness of a third party.
Ultimately then, with GDPR compliance in data sharing, it is not just your own processes and procedures that count, but also who you choose to work with, and how far you can trust them.
For an accompanying read, please visit Is Your Digital Business Truly Compliant?