The EU's General Data Protection Regulation (GDPR) will come into force in one month and most companies are by now prepared – but it means reviewing not just third-parties but sub-contractors too. More than half (57 per cent) of global organisations, however, feel they do not have appropriate visibility of sub-contractors engaged by their third parties (referred to as fourth/fifth parties), according to Deloitte. The firm's research found:

• 21 per cent are unsure of oversight practices;
• 2 per cent routinely review the risk sub-contractors pose to their organisation;
• 10 per cent only review subcontractors identified as critical to continuity of business.

Fourth- and fifth-party risk

This means that too many organisations depend on their third parties to monitor and review risk from sub-contractors or have an ad-hoc and unstructured approach to monitoring fourth and fifth parties. Deloitte's Kristian Park commented: “Compliance with GDPR not only covers organisations themselves, but also the contractors and subcontractors they engage. Under the regulation, subcontractors representing fourth and fifth parties must be appropriately monitored.”

Park goes on to explain that sub-contractors have varying responsibilities depending on whether they are a data ‘controller’ or a data ‘processor’, but in any case they have to show robust data security safeguards and report data breaches within 72 hours. He adds: “There is no one-size-fits-all, and the appropriateness of contractor monitoring for GDPR is defined by the nature of dependency from the perspective of data.”

The survey on Extended Enterprise Risk Management gathered responses from 975 companies in 15 countries from the Americas, EMEA and APAC.