Third-party breaches are structurally different from direct attacks. The breach happened elsewhere. The attacker has already left. Your organisation gets the phone call, not the intrusion. And yet, under GDPR and UK data protection law, the clock starts ticking the moment you know.
You didn't choose the attacker. You didn't choose the vulnerability. You do, however, choose how well-prepared your people are for the moment the notification lands.
What Is the Organisation's Liability When a Third-Party Supplier Is Breached?
Your liability begins the moment you become aware that personal data you control has been compromised, regardless of where the breach occurred. If your supplier processes data on your behalf, you are the data controller. You own the notification obligation, the risk assessment, and the ICO reporting window.
Most CISOs know this in theory. The gap is in practice. When the call comes in from a supplier at 4pm on a Friday, the question isn't what the law says. It's whether your team knows what to do in the next two hours and how fast they can actually do it.
How Does a Third-Party Breach Actually Unfold?
The pattern is consistent. Supplier identifies anomalous activity. Investigation takes hours or days. By the time they notify you, the exposure window is already 24 to 72 hours old. Your 72-hour ICO notification clock begins not when the supplier knew, but when you knew.
LimitedView's analysis of breach response across 847 organisations shows that 61% of third-party breach notifications trigger a gap in internal response. The team hasn't rehearsed this specific scenario. They've rehearsed direct attacks. A supplier breach creates immediate ambiguity: whose logs do we need? Who holds the supplier contract? What data did they actually have access to?
That ambiguity costs time. Time costs regulatory exposure.
What Data Do You Need to Assess Risk After a Supplier Breach?
You need four things immediately: the categories of data involved, the approximate volume of data subjects affected, the likely consequences for individuals, and what technical and organisational measures the supplier had in place.
The supplier will often give you two of those four willingly. The other two require pushing. Specifically, you need the measures they had in place. This matters because your notification to the ICO must include an assessment of risk, and that assessment depends on whether the data was encrypted, pseudonymised, or stored in plaintext. A supplier saying "we take security seriously" is not an answer to that question.
Why Does Staff Training Matter in a Third-Party Incident?
Because the people managing supplier relationships are not your security team. They are account managers, procurement staff, legal teams, and operations leads. When a supplier breach notification arrives, it typically hits them first.
LimitedView's research shows that employees trained in the immediate aftermath of a relevant incident retain 73% of response behaviours at 90 days, against 12% for those who complete scheduled annual training. Third-party breaches are precisely the kind of incident that should trigger training for the non-technical staff who manage supplier relationships, not just the SOC team.
The practical implication: if your organisation processes data through 40 or 50 suppliers, the people who need to know what to do in the first hour of a supplier notification are probably sitting in finance or procurement. They are not reading your incident response runbooks.
What Should the Internal Response Process Look Like?
The first decision is whether the incident meets the threshold for ICO notification. Not all breaches do. A ransomware attack against a supplier holding employees' names and work email addresses may not meet the threshold for likely risk to individuals. A breach exposing health data, financial information, or authentication credentials almost certainly does.
The threshold assessment should take under two hours if your team has rehearsed it. It shouldn't require three hours of legal counsel debating definitions while the notification clock counts down.
Document everything from the first notification. The ICO's interest in your response includes what you knew, when you knew it, and what you did next. A clear timeline, even a messy one, demonstrates that you took it seriously. The absence of a timeline demonstrates the opposite.
How Do You Reduce Repeat Exposure From Third-Party Incidents?
Two ways. Better supplier due diligence before the incident, and better internal response capability before the next one.
On the first: your Data Protection Impact Assessments should cover not just what data suppliers hold but the technical controls they have in place and how they will notify you. "We will notify you promptly" in a contract is not a control. A defined notification window of four hours, with a named contact and a defined escalation path, is.
On the second: organisations that run post-incident training within 48 hours see a 64% reduction in repeat procedural failures in subsequent incidents. The reason is straightforward. The team has experienced the gap between knowing what to do and actually doing it under pressure. Training delivered in that window closes the gap while the experience is still live in the room.
Third-party breaches will keep happening. Your suppliers' security posture is genuinely outside your direct control. What you can control is whether your people know their role when the phone rings, and whether that knowledge holds up under pressure.
