Some 57% of global organisations do not have appropriate visibility of subcontractors engaged by their third parties, according to a new survey from Deloitte. A further 21% are unsure of oversight practices, and fewer still (2%) routinely review the risk subcontractors pose to their organisation.

Kristian Park, enterprise risk management partner, Deloitte, said for some firms, there is a long way to go to implement adequate subcontractor management. "Compliance with GDPR not only covers organisations themselves, but also the contractors and subcontractors they engage. Under the regulation, subcontractors representing fourth and fifth parties must be appropriately monitored. Whilst the specific responsibilities will depend on whether they’re considered a data ‘controller’ or ‘processor’, such responsibilities typically include demonstrating robust data security safeguards, and reporting data breaches within 72 hours.

"In the run up to May 25th, we’d expect to see more organisations make additional investments to adequately manage multiple layers of outsourcers. There is no one-size-fits-all, and the appropriateness of contractor monitoring for GDPR is defined by the nature of dependency from the perspective of data. The frequency and rigour of monitoring is expected to intensify, the greater the reliance in terms of confidential data.”

Regular monitoring of subcontractors remains low, according to Deloitte's study, with just 10% solely reviewing subcontractors identified as critical to continuity of business.

"This means that 88% of organisations are either dependent on their third parties to conduct subcontractor risk reviews, or have an unstructured, ad-hoc approach to fourth and fifth party oversight. This figure could also indicate that some organisations are simply unaware of their policy or, more alarmingly, do not have one," Park added.

Reliance on third parties continues to grow this year with over half (53%) of respondents reporting ‘some’ or ‘significant’ increase in dependency. Changing regulation and heightened levels of regulatory scrutiny were considered the two greatest contributory factors to increasing the risk inherent in this.

“This is a significantly longer journey than anticipated," Park said.

Share Story: