GDPR and the management of third party suppliersPosted in : Seamus Says - Employment Law Discussion on 18 October 2017
Q. Why should an employer seek assurances from external suppliers or data processors? Who's responsible if it's a data breach?
Seamus: This is interesting as well and one that we discussed in our seminars. Because we rely on third parties, we do send information out and those third parties hold that information. We don't do it internally here, but things like payroll, records could be gone off to a third party or even at times HR completely.
Scott: Occupational health, all that kind of stuff.
Seamus: Absolutely. It's really about asking the third party for a copy of the data protection policy and procedure. I think it's about meeting with them, engaging with them, getting to know, getting assurances from them that they're doing things properly, asking to see their system and how they store things, are they using encrypted emails? Are they password protecting documentation that's been back and forth? You'll get a bit of a general theme as you work with them.
The reality here is if there are fines and breaches that come along, his head will roll if we put it that way. Potentially what the employer could do is get some sort of indemnity, some sort of assurance in writing from the third-party provider and seek to cover their back in that sense. The reality is if there's a breach that happens, it falls on the head of the employer from a publicity and media side of everything else. The employer will look very wicked.
Scott: Just don't ask that part of the questions. You've got €20 million fines or 4% of your global turnover. But each of those individuals, as is happening with Morrisons at the moment with their staff members, when their records were breached. So, you're facing that plus the publicity. It's a massive risk for most employers.
Seamus: Yeah, 100%. I think the key advice for somebody out there that is struggling or panicking about it is I've found the Information Commissioner's Office to be a good resource and they've been very helpful and they're good at giving advice and they're good at giving policies and procedures. So, if you are concerned and you're worried about it, try engaging with them. I don't know how that will work in the next few months when they're up to their eyes, they're so busy. But certainly, it's a resource there that you can go to.
More on Data Protection & Freedom of Information
- 5 Key steps in establishing an effective data protection compliance programme
- Is personal data held on a workplace messenger disclosable under a SAR for an ex-employee?
- Working Time; Sickness and Absence; National Minimum Wage Issues; GDPR; & much more
- GDPR implications of providing employee information in a TUPE situation
- Can an employer disclose a departing employee’s restrictive covenants to their new employer?
The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.