GDPR and the management of third party suppliersPosted in : Seamus Says - Employment Law Discussion on 18 October 2017
Q. Why should an employer seek assurances from external suppliers or data processors? Who's responsible if it's a data breach?
Seamus: This is interesting as well and one that we discussed in our seminars. Because we rely on third parties, we do send information out and those third parties hold that information. We don't do it internally here, but things like payroll, records could be gone off to a third party or even at times HR completely.
Scott: Occupational health, all that kind of stuff.
Seamus: Absolutely. It's really about asking the third party for a copy of the data protection policy and procedure. I think it's about meeting with them, engaging with them, getting to know, getting assurances from them that they're doing things properly, asking to see their system and how they store things, are they using encrypted emails? Are they password protecting documentation that's been back and forth? You'll get a bit of a general theme as you work with them.
The reality here is if there are fines and breaches that come along, his head will roll if we put it that way. Potentially what the employer could do is get some sort of indemnity, some sort of assurance in writing from the third-party provider and seek to cover their back in that sense. The reality is if there's a breach that happens, it falls on the head of the employer from a publicity and media side of everything else. The employer will look very wicked.
Scott: Just don't ask that part of the questions. You've got €20 million fines or 4% of your global turnover. But each of those individuals, as is happening with Morrisons at the moment with their staff members, when their records were breached. So, you're facing that plus the publicity. It's a massive risk for most employers.
Seamus: Yeah, 100%. I think the key advice for somebody out there that is struggling or panicking about it is I've found the Information Commissioner's Office to be a good resource and they've been very helpful and they're good at giving advice and they're good at giving policies and procedures. So, if you are concerned and you're worried about it, try engaging with them. I don't know how that will work in the next few months when they're up to their eyes, they're so busy. But certainly, it's a resource there that you can go to.
More on Data Protection & Freedom of Information
- Can an employer refuse a request from an unsuccessful job applicant to delete any of their data in its possession as it may be necessary for the defence of legal claims?
- If employees willingly provide personal email addresses at the start of their employment and their personal email addresses were used to contact them while they worked from home during the Coronavirus Lockdown, is this a breach of data protection?
- Can we ask staff to let us know if they have been vaccinated, and can we keep a record of this?
- Does the chief executive have the right to view sensitive personal data without an employee’s consent?
- Data Protection Implications of Selling From the UK into the EU after Brexit
The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.