Nearly two thirds of global corporations lack the supply chain visibility required by the incoming European GDPR rules on data protection.
In a survey of 975 businesses, 57% of said they felt the did not have the appropriate visibility of subcontractors used by third parties, 21% were unsure of their third parties’ oversight practices and just 2% routinely review the risk subcontractors pose to the business.
These findings were result of Deloitte’s annual Extended Enterprise Risk Management (EERM) survey.
Kristian Park, EERM partner at Deloitte, said some organisations still had “a way to go to implement adequate subcontractor management”.
She said: “In the run up to 25 May [when GDPR comes into force], we’d expect to see more organisations make additional investments to adequately manage multiple layers of outsourcers.
“There is no one-size-fits-all, and the appropriateness of contractor monitoring for GDPR is defined by the nature of dependency from the perspective of data. The frequency and rigour of monitoring is expected to intensify, the greater the reliance in terms of confidential data.”
GDPR will make companies responsible not only for personal data in their control, but also the way contractors and subcontractors handle this data. Under the rules subcontractors all the way down to fourth and fifth tiers need to be monitored appropriately.
The survey found regular monitoring of subcontractor was low. As well as just 2% of firms routinely reviewing risk, another 10% only reviewed contractors deemed critical to business continuity. “This means that 88% of organisations are either dependent on their third parties to conduct subcontractor risk reviews, or have an unstructured, ad hoc approach to fourth and fifth party oversight,” said Park.
Businesses were working towards improving their third party oversight, but the survey found this was taking significantly longer than many anticipated and more than half of respondents said they were still two to three years away from having a mature EERM system.
Park said while specific responsibilities under GDPR depend on whether an organisation owns or processes the data, these responsibilities typically include being able to show robust data security safeguards and the reporting of data breaches within 72hr.