Third-party vendors could be Achilles’ heel for GDPR compliance

A global survey of senior legal counsel at 448 institutions has found that a majority (54 per cent) feel their businesses are not prepared for the EU’s General Data Protection Regulation (GDPR) which comes into force on 25 May, 2018. While GDPR is EU legislation, it will apply to all businesses internationally that manage or handle EU citizen’s data. The regulation includes fines of up to the greater of €20 Million or 4 percent of corporate annual turnover for firms that do not comply.

The research, which was commissioned by KPMG Global Legal Services and conducted by The Legal 500, demonstrates the varied level of confidence businesses across the EU and other markets (e.g. Australia, Brazil, Russia, Taiwan and USA) have in their ability to meet the 25 May deadline for GDPR compliance.

Surprisingly an overwhelming majority of businesses both within and outside the EU, seemed to not have scrutinised third-parties (e.g. commercial suppliers) as a source of compliance risk to their institutions. Only 10 per cent of the organisations surveyed have checked whether these third-parties are in compliance with GDPR. Under GDPR third-party data breaches could potentially have a significant financial impact on unsuspecting large organisations, who outsource their data processing.

Juerg Birri, KPMG’s Global Head of Legal Services, commented on the findings:

“The research conducted by Legal 500 demonstrates that a gulf still exists between the perception of GDPR preparedness and the reality. In particular it appears too few boards are fully aware of the significant risks of non-compliance and many non-EU businesses have underestimated the impact that the legislation will have on them if they handle EU data. Surprisingly, many businesses haven’t looked at their supply chain as a potential risk for GDPR compliance. This is particularly challenging for global organisations, with thousands of suppliers, and could be costly if not addressed with the appropriate rigour needed under the GDPR.

“Yet for all the risk, GDPR is a good opportunity to win consumer trust, examine closely how data is collected and stored, and prepare for a world where this data will become increasingly valuable. Many of our clients see GDPR as an opportunity to build a picture of how their organisation manages data, which has recently become a key element for company reputation.”

General Counsel setting the data protection agenda

Unexpectedly, General Counsel (GCs) are leading on GDPR compliance. GCs were more likely to be responsible for setting data protection compliance policies than any other function leader across the organisations surveyed. The research finds that GCs were responsible for setting data protection compliance policies at over a third (34 per cent) of organisations,  while chief compliance officers were responsible at only a quarter.

No matter who is responsible, the results showed that a key challenge for the majority of businesses is ensuring the board takes data security seriously: This was viewed by GCs as the single most important thing a business can do to protect itself from GDPR-related risks.

At organisations where data security and cyber risk are not considered matters for senior management, only 13 per cent of GCs feel prepared for GDPR. However, at organisations where data security and cyber risk are board-level issues, half of GCs feel prepared.

The study shows that an engaged board helps at every stage of the journey toward GDPR compliance. This is clear when we compare the measures taken at organisations which see GDPR as a board-level issue vs those which do not:

  • 69 per cent of businesses with an engaged board have appointed a data protection officer (vs 27 per cent where the board is not engaged)
  • 55 per cent document all of their data processing activities (vs 38 per cent)
  • 49 per cent feel employees are mostly or fully aware of their obligations under GDPR and national laws (vs 32 per cent)
  • Only 6 per cent feel employees are not aware at all (vs 23 per cent)
  • 61 per cent feel that their employees specifically responsible for processing personal data are aware of their obligations under GDPR and national laws (vs 38 per cent)


Mark Thompson, global privacy lead at KPMG concluded:

“With a month to go till the regulation comes into force, many organisations are still scratching their heads as to what they need to do and should do, let alone consider the impact of third party suppliers. Come D-day, the reality is that early on we can expect that a few high profile examples will be made of non-compliant businesses, but perhaps not the tsunami some foresee. It is fundamentally important for businesses to realise that they need to get their houses in order for the long term, as privacy is not only important for the 25th May, but for life.”

Interestingly, respondents in Brazil (52 per cent) Russia (44 per cent), Australia (51 per cent) and the US (51 per cent) were, on average, more likely than those in the EU to feel they had prepared for GDPR. However, their confidence may be misplaced. While many of these organisations reported processing the personal data of EU citizens, few had taken steps to document and monitor this activity.