Manage Third-parties under GDPR

We’ve discussed this section in detail in a previous article, but in short, under GDPR, organizations are responsible for all of their third-parties’ actions and can even be held responsible for fourth-parties’ actions if the organization doesn’t adhere to GDPR’s requirements.

Vendor Risk ManagementMaintain Records of Processing Activities

Controllers’ Responsibilities

Controllers are required to maintain a record of their processing activities, including:

  • The name and contact details of the:
    • Controller
    • The controller’s DPO
  • The purposes of the processing activities
  • A description of the categories of data subjects and of the categories of personal data
  • The categories of recipients who have or will receive PII 
  • If possible, a general description of the technical and security measures that are in place to protect PII
  • Records of each data breach involving PII, including the:
    • Facts related to each breach
    • Effect of each breach, and 
    • Remediation actions taken in response to each breach

Processors’ Responsibilities

Processors are required to maintain a record of all processing activities they are carrying out on behalf of each controller, including:

  • The name and contact details of the:
    • Processor
    • The processor’s DPO
  • The categories of processing activities out on behalf of each controller
  • If possible, a general description of the technical and security measures that are in place to protect PII
  • If applicable, any transfers of PII to a third country or an international organization, including the identity that third country or international organization

Breach Notification

Notify the Appropriate Supervisory Authority

Controllers are to notify the appropriate supervisory1 authority within 72 hours of becoming aware of a data breach involving PII that’s likely to result in a risk to the rights and freedoms of the affected individuals:

  • If the notification is not made within 72 hours, the reasons for the delay must be included with the notification to the supervisory authority
  • Processors must promptly2 notify their controller once becoming aware of a personal data breach

Notifications must include descriptions of the:

  • If possible, nature of the data breach, including the:
    • Categories and approximate number of the data subjects affected
    • Categories and approximate number of personal data records
  • Name and contact details of the controller’s DPO
  • Likely consequences of the personal data breach
  • Remediation actions taken or planned to be taken by the controller to:
    • Address the breach
    • Where appropriate, mitigate the possible adverse effects caused by the breach

Notify the Affected Individuals

If a data breach involving PII is likely to highly affect the rights and freedoms of the involved individuals, the controller must inform the affected individuals immediately. This notification must be in clear, plain language and convey the same information that was provided to the supervisory authority. 

Controllers are not required to notify individuals if any of the following conditions is met: 

  • The PII was appropriately encrypted
  • The controller has taken steps since the breach to ensure that the risks to the individuals’ rights and freedoms are no longer likely to occur
  • Notifying each individual would involve a disproportionate effort
    • In these situations, a public communication is to be made 

data breach code

Violations & Fines

We’ve discussed this section in detail in a previous article, but in short the severity of a violation determines the amount of the fine. The severity of a violation is dependent on:

  • The violating organization’s:
    • Size 
    • Posture towards privacy
    • Attempts to mitigate the effects of violations
    • (If applicable) Previous GDPR violations
  • The types of data involved
    • If special categories of data are involved, the violation is likely to be major
  • The type of the violation, such as a(n):
    • Unapproved data transfer
    • Data breach

Based on the severity, a violation is categorized into one of two groups and is subject to a different level of fines:

  • Minor violations
    1. Subject to fines up to one of the following, whichever is larger:
      1. €10 million or
      2. 2 percent of the previous year’s worldwide annual total revenue (not profit)
  1. Major violations
    1. Subject to fines up to one of the following, whichever is larger:
      1. €20 million or
      2.  4 percent of the previous year’s worldwide annual total revenue (not profit)

The chart below provides examples of the maximum fines organizations could face depending on their annual total revenue. Note that GDPR violations could severely impact small- to medium-sized organizations.

Annual Revenue (€)

Minor Violation Fine (€)

Major Violation Fine (€)

500,000

10 million

20 million

10 million

10 million

20 million

500 million

10 million

20 million

10 billion

200 million

400 million

50 billion

1 billion

2 billion

100 billion

2 billion

4 billion

Figure 1: Examples of Potential Maximum Fines, Based on an Organization’s Revenue and the Violation’s Severity

We hope this series on the foundations of GDPR was educational and informative, providing you with a better understanding of how your organization can remain compliant in the future.  Revisit parts one and two of this series at any time. 

1Usually, the supervisory authority for the Member State in which the data breach has occurred or where the most individuals are from

2Most controllers require notice from their processors within 24 hours