More than half of companies lack visibility over subcontractors in their supply chains as GDPR nears, according to a survey.
The General Data Protection Regulation (GDPR) comes into force on 25 May, but a survey of 975 companies around the world by Deloitte found 57% believe they are not able to appropriately monitor subcontractors employed by third parties. Deloitte refers to these subcontractors as fourth and fifth parties. In addition, 21% of respondents felt unsure about their oversight measures.
Overall, only 2% regularly check the potential risks subcontractors pose at the further reaches of their organisations and 10% review solely those subcontractors deemed critical to the continuity of the business.
It follows that 88% of organisations either depend on contractors to conduct subcontractor risk reviews, adopt an ad-hoc approach or they just do not have any relevant policy.
However, regular monitoring is going to be essential as the survey shows over half (53%) of respondents increasingly depend on third parties.
Deloitte partner Kristian Park said: “With GDPR coming into force across Europe next month, organisations will already be looking with renewed focus at their third party structures. For some, there is still a way to go to implement adequate subcontractor management.
“Compliance with GDPR not only covers organisations themselves, but also the contractors and subcontractors they engage. Under the regulation, subcontractors representing fourth and fifth parties must be appropriately monitored.
“Whilst the specific responsibilities will depend on whether they’re considered a data ‘controller’ or ‘processor’, such responsibilities typically include demonstrating robust data security safeguards, and reporting data breaches within 72 hours.”
He added: “In the run up to 25 May, we’d expect to see more organisations make additional investments to adequately manage multiple layers of outsourcers.”
GDPR will regulate the way companies and individuals collect, store and share data. The legislation, passed in 2016, aims to give citizens more control over their personal information, and organisations that rely on user data will face tough data protection requirements.
In the UK, the new rules will replace the 1998 Data Protection Act.
☛ Want to stay up to date with the news? Sign up to our daily bulletin.