6 challenges of managing data risk in your third parties

Outsourcing activities which involve transferring data to third parties is commonplace within the financial services market and in David Lukeman’s blog, we learned that this is still an area of focus for the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA).

However, with the increasing focus on the General Data Protection Regulation (GDPR), third party risk is even higher on the agenda. The biggest GDPR risk is likely to be third parties, so it is essential that you check your third party contracts are GDPR compliant.

So there is now a greater imperative for organisations to have a clear view and control of which third parties hold, process or even control their customer data, as well as robust due diligence, contractual and monitoring in place. Almost all GDPR Programmes we are seeing across financial services have a focus on third party risk, but most of these are struggling with five key challenges:

The 6 challenges of managing data risk in your third parties:

  1. Identifying third parties – knowing which third parties are within the scope of the GDPR both in the next few months but also as your business evolves and changes, so that you focus your efforts on the right third parties.
  2. Understand what they do (controller/processor) and what data they have – understanding the nature of your relationship with the third party and exactly what they do/don’t do for you.
  3. Due diligence – ensuring that you only select third parties who can keep your promises by making sure you understand and evaluate their own risk management approach.
  4. Contract compliance – the challenge of ensuring that you have a fit for purpose contract in place, it’s not simply to issue side letters or unilaterally amend liability levels, key terms including subcontracting need to be carefully reviewed and amended.
  5. Management activities to include the specific breach reporting requirements – maintaining control or a relationship that enables both you and the third party to collectively adhere to the GDPR.
  6. Enhance your existing monitoring arrangements to ensure ongoing compliance gaining assurance that the third party constantly lives up to what you have agreed with them, captured in the contract and the articles of the GDPR itself.

The third party view

The challenge is not just for financial services institutions, but also with a large number of third parties supporting the industry, as most third parties have their own GDPR Programmes too. However, these third parties are becoming frustrated with the different interpretations and approaches to the GDPR from their customers.

As institutions who are controllers are liable for the actions of the processors they select, this multiplies the potential liabilities for a single third party. Third parties are challenging changes to contracts, services or oversight arrangements.

Rav Hayer | Partner
Profile | Email | +44 (0)20 7213 3451
Follow @ravhayer06

Andrew Bache | Senior Manager
Profile |+44 (0)20 7804 3274

Read more articles on