Managing Third-Party Risk Under GDPR
Today we're diving back into an important topic, General Data Protection Regulation (GDPR) compliance – that is, the EU’s sweeping data protection and privacy regulation designed to give individuals more control over their personal data and privacy protection. As you know, the regulation has massive data collection, storage, portability, and use implications for any company that accesses data belonging to EU individuals, which pretty much means all of us.
It also has an impact on how companies choose and manage relationships with third-party vendors and data processors. Cultivating an understanding of how new regulations apply as data flows across various systems, roles, and responsibilities is a good way to help fill compliance gaps. In light of this, we've pulled together a list of key considerations and steps to take make sure that your vendor management is GDPR compliant.
To start, ensure legal clarity on new requirements
According to the International Association of Privacy Professionals (IAPP), achieving legal clarity first and foremost is key in preventing compliance goals from becoming misguided, and it begins with understanding new roles and responsibilities as defined by the GDPR. The GDPR distinguishes between data controllers and data processors - that is, companies and the parties they work with to make data useful through processing.
GDPR Roles & Responsibilities - Definitions
Processing: Any operations or set of operations – automated or manual — performed on personal data, including collection, recording, organization, structure, storage, adaption, alteration, retrieval, consultation, use, disclosure and more
Data Controller: The entity (i.e. a company) that determines the purposes, conditions, and means of the processing of personal data
Data Processor: An entity (i.e. a vendor) that processes personal data on behalf of the controller
The more complex your system of internal and outsourced processors are, the greater your data’s net exposure, and exposure risk, so understanding the more granular elements of GDPR that relate to data processors is key. Articles to pay specific attention to include:
- Article 28 (1)-(3): Processor Obligations
- Article 24(1): Controllers
- Article 29: Processing under the authority of the controller or processor, and
- Article 46(1): Transfer subject to appropriate safeguards.
For an easy, clickable GDPR Table of Contents, click here.
The most important, basic takeaway from these articles is that good data governance falls squarely on the shoulders of the business using the data and/or its insights - companies cannot "simply outsource the responsibility of data governance and privacy compliance to their vendors." Indeed, in the event of a violation or data security breach caused by a vendor, it is the company that is held liable.
"Companies have an obligation to conduct due diligence, have appropriate contract terms in place, and must monitor the services provided by vendors to ensure they are processing data in accordance with applicable data protection regulations."
International Association of Privacy Professionals (IAPP)
In "broad strokes," the folks at IAPP name the following elements in mastering GDPR-compliant vendor management:
- Identify the right people
- Formulating a process for interfacing with vendors
- Leveraging technology to manage the process
- Keeping solid metrics for internal and external compliance purposes.
For more from IAPP, read their "Strategic approach to vendor management under GDPR."
Vendor Selection with an eye on GDPR Compliance
Joining in the discussion on how to tackle elevated third-party risk under GDPR, the team at Shared Assessments addresses tactics for selecting third-party vendors with a GDPR-compliance mindset. Below is a list of best practices.
- Understand which GDPR regulations apply to the vendor
- Assess the third party's GDPR readiness
- Assess the third-party's overall security posture
- Track how the vendor retains, accesses, and transfer sensitive data
- Address the contract provisions to ensure they reflect GDPR requirements
- Conduct testing of key privacy controls
Read Shared Assessment's guide, which includes other important steps toward third-party GDPR compliance.
Updating Third-Party Vendor Contracts for GDPR Compliance
A recent report from PriceWaterhouseCoopers (PwC), "An Action Plan for Tackling Third-Party GDPR Risk," digs deeper into the specific changes made necessary by the GDPR, in comparison to traditional third-party risk management (TPRM) programs and their contracts.
Features of Traditional TPRM Programs
- Inventory of third parties and the type of data the process
- Requiring vendors to adopt standard contractual clauses addressing information security
- Vetting responses to security due diligence questionnaires
- On-site security reviews or audits
In addition to understanding the nature, scope, context, scale, and purposes of processing completed by a third-party, Data Controllers also need to have a greater level of due diligence on the part of data controllers to ensure third-party relationships are compliant to new privacy requirements:
- Third-party breach notifications
- Records of processing
- Roles and responsibilities
- Security controls
- Doing business across borders
- Demonstrating compliance
- Adding several columns of GDPR-related metadata to their vendor data inventory
- Adding new GDPR-related criteria to the vendor risk-ranking formulas
- Adding privacy-related requirements to the standard contractual clauses and rolling those addendums out to impacted third parties
- Adding privacy-related requirements to due diligence questionnaires
- Adding privacy controls to onsite audits
- Enhancing the frequency and rigor of ongoing vendor monitoring to detect changes in the scope of vendors’ data processing and facilitate reporting of DPIAs and suspected compromises of EU personal data
For your free download of the PwC Action Plan the complete Action Plan, click here.
Stay tuned as we continue to cover the GDPR and its implications right here in our blog. For continued reading, check out our recent post "Fostering Firm-wide Compliance: A Post-GDPR adoption To Do List"