Before the General Data Protection Regulation (GDPR), came along organisations were almost habitually collecting large sums of data that were often stored and processed by third parties on their behalf. Though many of these organisations may have had a vendor risk management (VRM) program in place, the GDPR’s increased focus on the risks of outsourcing cloud hosting and data processing activities, extensive extraterritorial scope, and hefty fines have placed a new sense of urgency on the need for robust VRM programs.
Throughout our series on vendor risk management, we will discuss the ways VRM is changing today, from the biggest challenges, to strategies for identifying and mitigating vendor risks. In this post, the GDPR, its impact on third-party risk management, and how your VRM program must evolve to meet these new requirements.
How has the GDPR affected third-party vendors?
The GDPR has placed an extraordinary level of accountability on third-parties (those companies that process data on behalf of other companies). Under the GDPR, in-scope vendors must increase security and privacy measures around personal data-processing activities. The regulation has five key articles pertaining to the new responsibilities of third parties:
- Article 28 (2), Processor’s Duty: Blocks data processors from engaging another processor without prior specific or general written authorisation of the data controller.
- Article 30, Records of Processing: Mandates data processors to maintain a detailed inventory of EU residents’ personal data.
- Article 32, Security of Processing: Mandates data processors to implement information security controls.
- Article 33, Breach Notification: Mandates s processors to report any incidents and breaches without undue delay.
- Article 36, Prior Consultation: Mandates processors to perform Data Protection Impact Assessments (DPIA)and consult with Supervising Authorities where processing of personal data results in a high risk to the rights and freedoms to individuals.
While the regulation has expanded the requirements for vendors, the responsibility for incidents or data breaches remains within the data controller. This has led many organisations to restructure and strengthen their VRM programs. Steps organisations should take to align their VRM program with the GDPR? are…
Step 1: Assessing your VRM program against the GDPR
The first step in aligning a VRM program with the GDPR is building a vendor assessment framework that addresses the organisation’s specific requirements and incorporates recognised best practices. Developing this framework requires gathering and reviewing existing policy and procedures documentation, evaluating vendor questionnaires, selecting metrics for vendor assessments, and identifying opportunities for improvement.
Step 2: Determining baseline assessment criteria
Controllers can use the GDPR as an opportunity to strengthen the baseline requirements necessary for vendor relationships. The types of services vendors provide and the purpose for data sharing, and the data types the vendor will access should determine which required levels of data security standards a vendor must meet.
Concerning GDPR compliance, controllers must be able to identify in-scope vendors that have access to and/or may be processing EU personal data. When evaluating whether a third party will meet the organisation’s baseline security and privacy requirements, organisations should consider:
- Leveraging onboarding and security checklists and in-depth questionnaires (to identify systems, processes and personnel, as well as the data elements that will be involved in the relationship, and the controls in place to safeguard the data shared in the relationship, for example);
- Performing vendor risk evaluations based on predetermined criteria that the organization places value upon (for example, through questionnaires/audits to identify higher-risk vendors, such as those who process a higher volume of data and/or sensitive EU personal data on behalf of the organization)
- Implementing vendor monitoring practices using privacy and security metrics for reporting and to evaluate control performance, especially for vendors or potential partners that will have access to sensitive data and/or EU personal data.
What are the specific requirements that should be included in third-party contracts under the GDPR?
Once an organization has determined that a vendor meets their baseline requirements and decides to enter into a contractual agreement, the contracting organization should ensure that the contract includes specific GDPR requirements, such as:
- Establishing limitations for cross-border transfers,
- Defining the data controller/processor relationship and the specific details of the purpose(s) for which data will be used,
- Mandating that data should not be processed beyond the purpose for which it was shared with the vendor, and
- Establishing the processes the third party will use to report any incidents or breaches to the organization.
What should vendor evaluations include under the GDPR and how often should they be carried out?
After a third-party vendor relationship has been established, a necessary, but often overlooked, step is conducting periodic vendor reviews. These evaluations and assessments should include the review of contracts, the lawful bases for data processing, security measures, and legal obligations. Data controllers can leverage the information gathered during base-lining activities to help in these evaluations. They can also track their third parties based on the information obtained through the assessment activities. For example, this can be a review of documented technical and organisational safeguards found in SOC reports, contracts, or other types of attestation, which can be used to verify that the processor aligns with the necessary standards and controls for data protection and privacy, the requirements of the GDPR, and your organisation’s unique requirements.
Third-party relationships will require a renewed focus for organisations who must be GDPR compliant. During the coming years of the GDPR especially, organisations and their vendors will need to reevaluate key processes, policies, and contracts to ensure they meet these GDPR requirements. Vendors will need to develop a firm understanding of their new data protection responsibilities under the GDPR, as well as the consequences of noncompliance, and make necessary changes to secure the data they handle on behalf of their clients.
Contracting organisations must establish a detailed framework for their VRM program that aligns with the GDPR, identify opportunities for improvement, and carefully evaluate their current vendor relationships. Under the GDPR, both organisations and their vendors have the heavy responsibility of protecting data subjects’ information, a task that requires careful evaluation, improvement, and ongoing maintenance.
Relentless Privacy and Compliance specialises in helping companies build and manage third-party organisation management frameworks to evaluate and improve their vendor risk and data protection programs and has a team of experts dedicated to understanding the requirements of the GDPR.
Relentless GDPR Assessment provides controllers with a comprehensive gap analysis and risk report enabling controllers to make sound partnership decisions and fulfil their compliance requirements.