In the pre-GDPR days, it was fairly clear where risk and liability lay with regards to data protection issues within the supply chain, where typically one party was the data controller (usually the customer) and the other was the data processor (usually the supplier). Enforcement action could be taken against the data controller, even where the data processor caused the breach. Only data controllers could be held accountable to data subjects for compensation.
However, post-GDPR, data processors can now be held directly accountable for certain aspects of the processing of personal data both to the DPA’s and the data subject. This has led to a shift in approach and expectation on how risks are managed and allocated within the supply chain.
Read full article: Managing commercial risk within the supply chain post