The General Data Protection Regulation (GDPR), the biggest deal in EU data protection law in 20 years, goes into effect on May 25.
A recent Thomson Reuters webcast, “GDPR: Legal’s Role is Addressing Third-Party Risks” (with ACC and the Jordan Lawrence Group), is not for the faint of heart. “The buck essentially stops at the door of the company’s legal department if there’s a data breach, even if it was caused by a sub-contractor of your third-party data processor,” says a summary of the webinar. Beth Magnuson, senior legal editor on privacy and data security for Thomson Reuters Practical Law, offers a chilling analogy: Consider a house with a firmly secured front door (your company’s data protections) and back door (your data processor’s protections), but this house also has a side window that’s left open (a negligent subcontractor). Ignoring the risks that subcontractors pose to personal data creates a huge hole in your security program. “GDPR accountability requires knowledge and understanding, Magnuson says. “If you don’t know who can access the personal data controlled by your company, you don’t really have control over it.”
Published January 9, 2019.