Subcontractors and UK GDPR
If you run a business and use any subcontractors (whether in accounting, IT, marketing, courier services or any other area) – make sure that your subcontractor complies with the law on personal data protection and properly cares for your customers’ data.
The same principle also applies in the opposite direction: if you provide accounting, IT, courier, or other services that involve processing personal data of your clients, make sure that they respect the principles of UK GDPR.
Why is it important?
Both the data controller and the data processor are responsible for any potential breaches regarding personal data. It’s possible that your company is involved in the circulation of personal data, takes care of it, protects it, trains staff, creates documentation, etc., but the basis for imposing a fine on you will be only the allegation of processing data in cooperation with an illegal (from the GDPR perspective) third party.
The French data protection authority (CNIL) imposed a fine on the company (online shop) EUR 150,000 and its subcontractor (IT company managing this website) EUR 75,000 on January 27, 2021 for failing to take appropriate countermeasures against hacker attacks.
Between June 2018 and January 2020, the French Data Protection Authority (CNIL) received numerous personal data breach notifications on a website where millions of customers shopped regularly.
Next, CNIL proceeded to investigate the company and its subcontractor managing the website. It turned out that the company’s official website was subject to hacking attacks, which involved the use of unencrypted personal identifiers or passwords on the Internet to gain access to the accounts of individuals whose data was concerned, using logging bots.
After successful authorization on the website, third parties gained access to various information.
The CNIL discovered that the attackers were able to access surnames, first names, dates of birth, email addresses, loyalty card numbers and balance, as well as customer order information.
The French data protection authority noticed that both the company and its subcontractor failed to fulfil their obligations regarding maintaining constant security of customers’ personal data under Article 32 of the GDPR. In an attempt to solve this problem, both companies unsuccessfully began building a tool to fight against registering bots, which took a whole year. However, they ignored any other immediate remedial measures that could have a faster impact on preventing and/or mitigating further attacks, as well as the negative impact of these attacks on customers.
As a result, between March 2018 and February 2019, unauthorised third parties gained access to the personal data of more than 40,000 customers of the online store.
Both the controller, joint controllers and processors
are responsible for the breach of personal data.
What can you do to secure your business as much as possible for the future?
Firstly, always enter into a “data processing agreement” in writing with any third-party entity.
Before signing a data processing agreement with a third-party, it’s important to ensure that they comply with GDPR/UK GDPR regulations. A questionnaire containing a set of questions about procedures, documents, and security measures applied in the external company can be used to verify this. Only after being absolutely certain that the third-party is trustworthy in terms of GDPR/UK GDPR regulations, should the agreement be signed.
If you’re afraid of losing a client by bombarding them with questions about their compliance with GDPR/UK GDPR, you can prepare at least an intent letter in which you describe your GDPR/UK GDPR compliance and express your opinion that starting the cooperation would mean acceptance of the same standards from their side.