Out-Law News 1 min. read

Global companies lacking GDPR oversight of sub-contractors


The majority of global companies admit that they do not have appropriate oversight of third parties and sub-contractors despite the imminent implementation of new data protection regulations.

A new survey by consulting firm Deloitte revealed that 57% of global organisations admitted they did not have appropriate visibility of subcontractors engaged by their third parties, a further 21% are unsure of oversight practices, and just 2% routinely review the risk subcontractors pose to their organisation.

The report was released a month ahead of the implementation across Europe of the EU’s General Data Protection Regulation (GDPR), which will govern how organisations use and retain data in a bid to strengthen individuals’ data privacy.

The Deloitte Extended Enterprise Risk Management (EERM) survey of around 1,000 companies found that 10% only monitored sub-contractors they identified as critical to their businesses. The vast majority relied on third parties to carry out this monitoring, had an unstructured approach or did not know their organisation’s policies.

The GDPR requires companies to ensure that their contractors and sub-contractors also comply with the regulation. Such sub-contractors could include data controllers or processors, which need to demonstrate robust data security and have to report any data breaches within 72 hours.

Deloitte EERM partner Kristian Park said: “With GDPR coming into force across Europe next month, organisations will already be looking with renewed focus at their third-party structures. There is no one-size-fits-all, and the appropriateness of contractor monitoring for GDPR is defined by the nature of dependency from the perspective of data. The frequency and rigour of monitoring is expected to intensify, the greater the reliance in terms of confidential data.”

The report also showed that despite their lack of oversight of contractor relationships, many companies have a heavy reliance on third parties. Over half of respondents to the survey said they had ‘some’ or ‘significant’ increase in dependency on contractors. Changing regulation, including GDPR, and heightened levels of regulatory scrutiny were the two greatest contributory factors to increasing the risk inherent in this.

There have been several examples of companies caught up in data breaches due to third parties. In November last year Uber disclosed a massive data breach caused by hackers accessing customer data stored on a third-party cloud computing platform.

Last year guidance published by the EU warned that businesses would be considered to be aware of data breaches when their data processors noticed the breach. The UK Information Commissioner’s Office said companies should review third party contracts ahead of the GDPR implementation.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.