Will GDPR prevent companies using 3rd parties with such a bad history?
GDPR article 28
"Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject. " [http://www.privacy-regulation.eu/en/index.htm]
Think Equifax may struggle to provide such guarantees based on recent behaviour. Assuming the regulations expect guarantees to be worth more than the paper they are written on.