If tasked with ensuring your organisation achieves compliance with the General Data Protection Regulation is not difficult enough, the task of putting in place a strategy by which you can manage the GDPR compliance of the people you outsource the processing of your customers personal data ( data processors) seem like the mountain stages of the tour de france. The monumental shift of accountability and responsibility now placed upon data controllers has changed the landscape of vendor relations for the good of both parties but more so for the controller.
Together with this shift in responsibility, companies will also need to establish more strenuous due diligence practices for managing their relationships with vendors who act as data processors.
As an example, a global tech company offering cloud SAAS services may act as a controller with regard to its own employees data and as a processor with regard to its customer data. Under the GDPR, the company would be accountable for the vendors used to manage its EU employee data (in that case, its processors) and the vendors used to manage its EU customer data (in that case, its sub-processors).
Don’t expect vendors to roll out the red carpet when it comes to due diligence be prepared for push-back when it comes to raising the privacy bar and and the tightening of what is expected and demanded of the vendor when they are entrusted with your customer data. .
Make no mistake the task of vendor management is not an easy road and can be resource sapping.
But the organisation’s obligation for compliance with GDPR could not be clearer — the penalties are steep and the collateral public relations and organisational brand damage can have an exponential effect on a company’s performance and balance sheet.
So what is the best and smartest approach to vendor management under GDPR? I hear you say.
Here we outline some best practices for conquering this challenge.
1: What are the legal requirements
Before sending your team into battle a team in an attempt to simplify and make a compliance process more efficient and less resource sapping, you absolutely must have a clear understanding of what the GDPR specifies as obligations to manage the complexity of processor relationships.
Be sure to examine:
- Article 28 (1)-(3): Processor Obligations
- Article 24(1): Controllers
- Article 29: Processing under the authority of the controller or processor, and
- Article 46(1): Transfer subject to appropriate safeguards.
After reading through the above it will become glaringly obvious that your organisation cannot just sign on the dotted line and pass the valuable assets ( your customers personal data) over to an outsourced partner for processing without conducting in depth due diligence. If in the worse case scenario if a data breach happening at your data processors organisation the spotlight will always start to shine upon how the data was assigned to the processor and under what conditions. Three vital pillars for Controller / processor arrangements are
1: Contract terms must be in place
2 Controllers must monitor the services provided by the processor during the arrangement.
3: At the end of the arrangement how the controller manages the return and destruction of the personal data the data processor is holding.
If there is a violation or data breach caused by a vendor, your organization will be liable.
The best practice of applying such a wide and inspiring approach to vendor management include:
Identifying the right people, formulating a process for effective communication with vendors, leveraging technology to manage the process, and retaining solid metrics for internal and external compliance purposes
A first step is to establish who within your organization should be engaged with vendor selection and management. Someone should be accountable within each business unit that utilizes vendors – this may be a senior manager,or director, of a particular operational business unit or product team. It helps to identify these privacy champions who are responsible for following company policy on vendor management and for promoting a culture of mindful sharing of data with vendors. While it’s great if you have a formal Vendor Management Department , the best strategy of forming a data privacy centre of excellence team formed of department stakeholders and technical security professionals.
Vendor management cannot be seen as a purely a rigorous selection process only reviewed at the contract renewal stage.
Any processing of personal data by a third-party vendor should be in scope for a GDPR-compliant vendor-management process, regardless of the cost of the service being offered and should be reviewed throughout the lifecycle of the contract.
Vendor Inventory :
Not having a vendor inventory and contract record keeping depository can be a recipe for disaster.
Many companies struggle with the design and maintenance of a complete inventory of vendors and vendor contracts. This is especially true where their are multi entity divisional silos across organizations where there is no central repository of vendor contracts, and local teams retain copies of vendor contracts locally unsure if they are up to date.
Ideally, you’ll want to have a centralized system which will not only track vendor contracts, but will also provide robust reporting to flag vendors who process personal data and could be underperforming,
With the right reporting platform in place, your organization will have superior visibility into your vendor management strategy and roadmap, and should have no problem tracking progress and measuring success or failure. This is key, because you will want to be able to create evidences which demonstrate compliance with GDPR.
Relentless Data Privacy and Compliance have a wide range of services covering all aspects of the GDPR journey.