Two-thirds of companies “lack adequate visibility over sub-contractors” to meet GDPR requirements

According to a new survey from Deloitte, 57% of global organisations feel they don’t have appropriate visibility of sub-contractors engaged by their third parties (referred to as fourth/fifth parties). A further 21% are unsure of oversight practices, and fewer still (just 2%) routinely review the risk that sub-contractors pose to their organisation.

This is Deloitte’s third global survey on Extended Enterprise Risk Management (EERM). The 2018 study garnered 975 responses from organisations across 15 countries within the Americas, the EMEA and APAC regions. Survey respondents included CFOs, heads of procurement/vendor management, CROs, heads of internal audit and compliance and IT risk function leads.

Kristian Park, EERM partner at Deloitte, commented: “With the European Union’s General Data Protection Regulation (GDPR) coming into force across Europe at the end of next month, organisations will already be looking with renewed focus at their third party structures. For some, there’s still some way to go to implement adequate sub-contractor management. Compliance with the GDPR not only covers organisations themselves, but also the contractors and sub-contractors with whom they engage. Under the new GDPR, sub-contractors representing fourth and fifth parties must be appropriately monitored. While the specific responsibilities will depend on whether they’re considered a data ‘controller’ or ‘processor’, such responsibilities typically include demonstrating robust data security safeguards and reporting data breaches within 72 hours.”

Park added: “In the run-up to 25 May, we would expect to see more organisations make additional investments to adequately manage multiple layers of outsourcers. There’s no ‘one-size-fits-all’ here. The appropriateness of contractor monitoring for the GDPR is defined by the nature of dependency from the perspective of data. The frequency and rigour of monitoring is expected to intensify the greater the reliance in terms of confidential data.”

Regular monitoring of sub-contractors

Regular monitoring of sub-contractors remains low, with just 2% of those organisations surveyed engaging in this periodically and 10% solely reviewing sub-contractors identified as being critical to the continuity of business.

Park continued: “This means that 88% of organisations are either dependent on their third parties to conduct sub-contractor risk reviews or have an unstructured, ad hoc approach to fourth and fifth party oversight. This figure could also indicate that some organisations are simply unaware of their policy or, more alarmingly, don’t have one. At the same time, the survey reveals that some organisations are already making additional investments into EERM initiatives. These organisations recognise the business case and see the opportunity to enable growth, innovation and business performance from their contractors and sub-contractors in a risk-intelligent way.”

Reliance on third parties continues to grow this year with over half (53%) of respondents reporting ‘some’ or a ‘significant’ increase in dependency. Changing regulation and heightened levels of regulatory scrutiny were considered to be the two greatest contributory factors towards increasing the risk inherent in this.

Streamlining EERM systems

Despite critical levels of third party dependency, only 20% of organisations have streamlined their EERM systems and processes. 53% of this year’s respondents now believe that their journey to achieve EERM maturity is two to three years or more.

“This is a significantly longer journey than anticipated in earlier surveys when respondents reported that this could be achieved in six months to a year,” concluded Park. “This reflects a more realistic timeframe. We would expect organisations to be closely aligning plans to address the expected regulatory outlook over this period.”

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts