25% UK businesses overall do not know if their third-party suppliers could notify them within 72 hours of a data breach, according to new research from our latest whitepaper, ‘Supply chain risk: Taking control of risk and vulnerabilities’. And yet, notifying the regulator within 72 hours is one of the key requirements of GDPR notification in the aftermath of a data breach. If your supplier hasn’t told you that a breach has happened, then it’s impossible for your business and your 3rd party to work together to assess and agree what to do next and within the legal timeframe.
Understanding where data is kept
As third-party networks become more complex, your exposure increases and cyber criminals will endeavour to find new ways of accessing data. Our fresh analysis on this has revealed that only 26% of all sized businesses are aware of where some third-party suppliers store personally identifiable information. It is clear, then, that if cyber criminals are going to succeed, they can quite easily do so through the back door of one of the less secure suppliers. Businesses need to ask themselves: ‘Do we have any cyber security blind-spots in our supply chain?’ And if so, it’s time to get a much clearer 360Ëš view of what these vulnerabilities are and put new plans in place.
Of course, no-one is immune to a data breach. But in the event of one in your supply chain, who would you say is accountable? Your organisation, or your supplier? 56% of businesses we questioned say both the organisation and the supplier are equally accountable if a data breach occurs in the third-party system. In reality, when your entire reputation is at stake, would you truly put your trust in another organisation to break the news to your customers? And within the legal timeframe? We know from experience this has the potential to become a complex situation to handle and put the organisation and its customers in a vulnerable position to align to what is required as part of GDPR notification requirements.
So, what’s the answer? Following our recent research into the complex relationship between businesses and third parties when it comes to data security, we believe a ‘bigger picture’ mindset is needed to avoid risks. To stop being exposed by vulnerable points in your vendor network, businesses could coordinate a review of processes and security systems, up and down the supply chain. And doing this prior to the commencement of the relationship will play to a stronger partnership in the future.
A note on notifying affected individuals in the event of a data breach
Having a plan in place to notify individuals of the loss of their personally identifiable information is important, especially when you are working with 3rd parties. It is also an essential part of getting ready for GDPR.
Data breach notifications can take time and are resource hungry and when you add a 3rd party supplier to the scenario this can bring an additional layer of complexity when responding to an incident. Establishing an agreed plan, in advance with details of who will do what, when and how can support both parties. Ultimately, being prepared and in control is a great place to be and will go a long way towards ensuring you safeguard customers and ensure you align to GDPR requirements.
The right directionâ€¦
Encouragingly, our new research has shown that businesses are improving their data breach resilience year on year – 91% of the medium and large businesses we surveyed in the UK do now have data breach response plans in place, which is reassuring. If businesses turn their attention to assessing further potential risk within their 3rd party suppliers too it could help to reveal weak links. The goal being to remedy these vulnerabilities with the goal of protecting customers and in turn future business success.
If you need support getting ready for a data breach consumer response, call centre support or monitoring in line with GDPR learn more here: Know, Prepare Recover: www.experian.co.uk/databreach
Please note that while we can support businesses with their preparations for GDPR, we cannot offer legal counsel or compliance advice.