Prior to the General Data Protection Regulation (GDPR), organizations were accustomed to collecting large sums of data that were often stored by third parties on their behalf. Though many of these organizations may have had a vendor risk management (VRM) program in place, the GDPR's increased focus on the risks of outsourcing data processing activities, extensive extraterritorial scope, and hefty fines have placed a new sense of urgency on the need for robust VRM programs.
Throughout our series on vendor risk management, we have discussed the ways VRM is changing today, from the biggest challenges to strategies for identifying and mitigating vendor risks. In this post, we focus on this year’s seminal privacy regulation, the GDPR, its impact on third-party risk management, and how your VRM program must evolve to meet these new requirements.
How has the GDPR affected third-party vendors?
The GDPR has placed an unprecedented level of accountability on third-parties (those companies that process data on behalf of other companies). Under the GDPR, in-scope vendors must increase security and privacy measures around personal data-processing activities. The regulation has five key articles pertaining to the new responsibilities of third parties:
- Article 28 (2), Processor's Duty: Prohibits data processors from engaging another processor without prior specific or general written authorization of the data controller.
- Article 30, Records of Processing: Requires data processors to maintain a detailed inventory of EU residents’ personal data.
- Article 32, Security of Processing: Requires data processors to implement information security controls.
- Article 33, Breach Notification: Requires processors to report any incidents and breaches without undue delay.
- Article 36, Prior Consultation: Requires processors to perform Data Protection Impact Assessments (DPIA) and consult with Supervising Authorities where processing of personal data results in a high risk to the rights and freedoms to individuals.
While the regulation has increased the requirements for vendors, the responsibility for incidents or data breaches remains within the data controller. This has led many organizations to restructure and strengthen their VRM programs.
What steps should organizations take to align their VRM program with the GDPR?
Step 1: Assessing your VRM program against the GDPR
The first step in aligning a VRM program with the GDPR is building a vendor assessment framework that addresses the organization’s specific requirements and incorporates recognized best practices. Developing this framework requires gathering and reviewing existing policy and procedures documentation, evaluating vendor questionnaires, selecting metrics for vendor assessments, and identifying opportunities for improvement.
Step 2: Determining baseline assessment criteria
Controllers can use the GDPR as an opportunity to establish or reevaluate the baseline requirements necessary for vendor relationships. As explained in part 2 of this series, the types of services to be provided, the purpose for data sharing, and the data types the vendor will access should determine which requirements a vendor must meet.
Concerning GDPR compliance, controllers must be able to identify in-scope vendors that have access to and/or may be processing EU personal data. When evaluating whether a third party will meet the organization’s baseline security and privacy requirements, organizations should consider:
- Leveraging onboarding and security checklists and in-depth questionnaires (to identify systems, processes and personnel, as well as the data elements that will be involved in the relationship, and the controls in place to safeguard the data shared in the relationship, for example);
- Performing vendor risk evaluations based on pre-determined criteria that the organization places value upon (for example, through questionnaires/audits to identify higher-risk vendors, such as those who process a higher volume of data and/or sensitive EU personal data on behalf of the organization)
- Implementing vendor monitoring practices using privacy and security metrics for reporting and to evaluate control performance, especially for vendors or potential partners that will have access to sensitive data and/or EU personal data.
Are there specific requirements that should be included in third-party contracts under the GDPR?
Once an organization has determined that a vendor meets their baseline requirements and decides to enter into a contractual agreement, the contracting organization should ensure that the contract includes specific GDPR requirements, such as:
- Establishing limitations for cross-border transfers,
- Defining the data controller/processor relationship and the specific details of the purpose(s) for which data will be used,
- Mandating that data should not be processed beyond the purpose for which it was shared with the vendor, and
- Establishing the processes the third party will use to report any incidents or breaches to the organization.
What should periodic vendor evaluations include under the GDPR?
After a third-party vendor relationship has been established, a necessary, but often overlooked, step is conducting periodic vendor reviews. These evaluations and assessments should include the review of contracts, the lawful bases for data processing, security measures, and legal obligations. Data controllers can leverage the information gathered during baselining activities to help in these evaluations. They can also track their third parties based on the information obtained through the assessment activities. For example, this can be a review of documented technical and organizational safeguards found in SOC reports, contracts, or other types of attestation, which can be used to verify that the processor aligns with the necessary standards and controls for data protection and privacy, the requirements of the GDPR, and your organization’s unique requirements.
Third-party relationships will require a renewed focus for organizations who must be GDPR compliant. During this first year of the GDPR especially, organizations and their vendors will need to reevaluate key processes, policies, and contracts to ensure they meet these new requirements. Vendors will need to develop a firm understanding of their new data protection responsibilities under the GDPR, as well as the consequences of noncompliance, and make necessary changes to secure the data they handle on behalf of their clients. Contracting organizations must establish a detailed framework for their VRM program that aligns with the GDPR, identify opportunities for improvement, and carefully evaluate their current vendor relationships. Under the GDPR, both organizations and their vendors have the heavy responsibility of protecting data subjects’ information, a task that requires careful evaluation, improvement, and ongoing maintenance.
Focal Point specializes in helping companies and third-party organizations evaluate and improve their vendor risk and data protection programs and has a team of experts dedicated to understanding the requirements of the GDPR.
Disclaimer: Focal Point Data Risk, LLC is not a law firm and does not provide legal advice. This content is intended for informational purposes only.
Get more insights into the latest privacy news.
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.