When data from 2.1 million people was published on the Darknet after the SportAdmin breach, it wasn't just the software company that had a problem. Every sports team using the system was also affected—because they are the data controllers for member data.
GDPR Article 28 requires that you, as the data controller, only use data processors which provides adequate security guarantees. Most sports teams, housing cooperatives, and volunteer organizations choose membership systems based on price and functionality. Security rarely comes up. The SportAdmin case shows why it should.
Practical point: Are you on the board of a sports team, association, or other organization that uses a cloud-based membership system? Ask your provider three questions: have they conducted a security audit in the last year, do they have intrusion detection, and do you have a data processing agreement that governs notification and liability in the event of incidents?
Inspired by: Love you