The Uncomfortable Truth About IT Providers and GDPR

Businesses operate in data environments and being able to obtain IT support when something goes wrong is key to working effectively. Those IT Providers have complete access to a businesses digital assets and information. This makes it very risky when those IT providers have no awareness of their security or GDPR obligations. This happened to a client recently when we undertook a gap analysis and revealed some disturbing information about their IT provider.

The Case Study That Raised Red Flags

During a routine gap analysis with one of our clients, we uncovered a scenario that’s unfortunately all too common. Their IT support provider, despite having complete access to sensitive business systems and information, was operating without fundamental GDPR safeguards in place. This situation isn’t just about ticking boxes – it represents real risks to their business.

Critical Gaps We Discovered

1. Missing Documentation
The absence of a formal service contract between the client and IT provider left both parties in a precarious position. Without clearly defined responsibilities and expectations, who’s accountable when things go wrong?
2. Outdated Privacy Practices
The provider’s privacy policy hadn’t been updated since before GDPR implementation in 2018. This isn’t just about having an old document – it suggests a concerning lack of attention to evolving data protection requirements.
3. No Data Processing Agreement
Perhaps most alarming was the absence of a Data Processing Agreement (DPA). When an IT provider has access to your sensitive business data, a DPA isn’t optional – it’s essential for defining how your data can be used and protected.
4. Training Deficiencies
The provider admitted their staff received no GDPR training. In an environment where data breaches often result from human error, this lack of awareness is particularly concerning. Regular training is also a requirement the legislation under the accountability principle. to not do any training shows a complete lack of understanding of the organisations responsibilities.

Why Should This Keep You Up at Night?
The implications of these gaps extend far beyond mere compliance:

  • Your business could face regulatory penalties for not protecting your business data and unauthorised sharing
  • Data breaches become more likely by the IT provider as they have no clear understanding of their obligations
  • Incident response becomes chaotic without clear accountability
  • Your reputation could suffer irreparable damage if there is a data breach or significant downtime.

Protected: Your Action Plan

Here’s what you need to do immediately:

  • Due Diligence: Verify your IT provider’s security and GDPR awareness
  • Contract Review: Ensure you have a comprehensive service contract in place
  • Policy Check: Confirm their privacy policy is GDPR-compliant and recently updated
  • DPA Verification: Implement a robust Data Processing Agreement including security requirements
  • Training Validation: Confirm regular staff training occurs, preferably annually
  • Security Assessment: Look for ISO27001 certification or equivalent security measures

The Reality Check

In our experience, it’s rare to find IT providers who meet all these basic requirements. This isn’t about pointing fingers – it’s about protecting your business. Your organisation remains ultimately responsible for GDPR compliance across your supply chain, including your IT provider’s activities.

Taking Action

Start by reviewing your current IT support relationship. Do they meet these basic requirements? If not, it’s time for an honest conversation about expectations and compliance. Don’t wait for a data breach to take this seriously.

If you need help or advice, contact us for an informal discussion about assessing your IT provider’s GDPR compliance. We’re here to help protect your business.