Business Law & Compliance

Businesses failing to check third-party GDPR compliance risk large fines

3 min read

26 April 2018

Former special projects journalist

Shirking responsibility and failing to check whether outsourced data processors are GDPR compliant can mean costly fines for businesses. With less than a month to go, it’s time to get sorted.

Only 10% of organisations have checked whether third-parties (such as commercial suppliers) are posing General Data Protection Regulation (GDPR) compliance risks.

GDPR is a new piece of EU legislation that will apply to all businesses around the world that manage EU citizen data, and third-party data breaches could end up costing organisations that outsource any part of their data processing.

The deadline for GDPR compliance is 25 May 2018, yet according to research from KPMG Global Legal Services, 54% of senior legal counsel do not feel their organisations are prepared.

Fines for non-compliance can reach €20 million, or 4% of corporate annual turnover.

Juerg Birri, KPMG’s global head of legal services, commented on the findings: “Surprisingly, many businesses haven’t looked at their supply chain as a potential risk for GDPR compliance. This is particularly challenging for global organisations, with thousands of suppliers, and could be costly if not addressed with the appropriate rigour needed under the GDPR.

“Yet for all the risk, GDPR is a good opportunity to win consumer trust, examine closely how data is collected and stored, and prepare for a world where this data will become increasingly valuable. Many of our clients see GDPR as an opportunity to build a picture of how their organisation manages data, which has recently become a key element for company reputation.”

Respondents from some countries outside the EU were actually more likely, on average, to feel prepared for GDPR, including Brazil (52%), Russia (44%), Australia (51%) and the US (51%).

Interestingly however, while many of these organisations reported processing personal data of EU citizens, not all had taken steps to monitor this activity, which could mean there is a misunderstanding or false confidence factor at play when it comes to GDPR.

Another pitfall when it comes to ensuring GDPR compliance is the change to the way employee data management is stored. The new changes mean to regulate the way all EU citizens’ data is managed, which includes employees as well as clients.

Employers should request consent for data, and detail clearly how the data will be used. Employees should then have the right to access their data, should have the right to withdraw their consent and prevent further dissemination of their data, and should be notified of any security breaches.

There is less than one month to go before GDPR comes into effect, and while it’s cutting it fine, there’s still time for business owners to get their act together and ensure compliance.