Are you ready for what's next? The 2022 TPRM Preparedness Toolkit will take your program to the next level!

A GDPR Compliance Checklist for Third-Party Risk Management

Mitigate privacy risks and comply with GDPR requirements by assessing third-party data protection controls with these proactive measures.
By:
Scott Lang
,
VP, Product Marketing
October 20, 2021
Share:
Blog Compliance Gdpr Sep 2019

Originally passed into law in May 2018, the General Data Protection Regulation (GDPR) is a privacy law that governs the use, movement, and protection of data collected on European Union (EU) citizens. The GDPR covers any organization that collects, stores, processes, or transfers personal data on individuals in Europe, regardless of the organization’s location.

Why Third-Party Risk Management Is Important in the GDPR

Because third parties are often responsible for managing personal data on behalf of their customers, organizations must take special care in ensuring those vendors and partners have data protection controls and governance in place. This involves conducting data privacy controls assessments; analyzing the results for potential risks; and requiring third parties remediate those risks to avoid regulatory, financial, and reputational exposures.

The EU aggressively enforces the GDPR, with several notable sanctions levied against companies with third-party failures, including:

  • Luxembourg’s regulatory body fined Amazon €746 million for breaching GDPR, claiming that Amazon’s advertising system isn’t based on “free consent.”
  • In early 2021, France’s data protection authority fined an unnamed data controller €150,000 and its third-party data controller €75,000 for failing to implement adequate security measures.
  • The Data Protection Authority of Hamburg, Germany, fined clothing retailer H&M over €35 million for overly broad monitoring of several hundred employees.
  • Google was fined €50 million by French data regulators for a "lack of transparency, inadequate information and lack of valid consent regarding ads personalization."
  • The UK’s Information Commissioner’s Office fined British Airways £20 million in 2018 for failing to protect the personal and financial details of 400,000 customers.

This post summarizes why organizations should care about GDPR and how they can assess their internal processes and third-party relationships against GDPR requirements.

Third-Party Risk Assessments Are Required Under GDPR

To protect themselves from risk, organizations are required by the GDPR to conduct risk assessments to identify risks both inside the organization and with any third party that will have access to personal data. Recital 76 – Risk Assessment – states that, “Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk.”

Organizations subject to GDPR regulations must ensure that they and their third parties protect the privacy of any personal information collected and/or processed. This means conducting a thorough evaluation of the risks present in each third party and ensuring that appropriate controls are in place to mitigate risk.

The GDPR Third-Party Compliance Checklist

Read this report to understand third-party considerations in the General Data Protection Regulation (GDPR) and discover how to include GDPR risk assessments in your broader TPRM initiatives.

Read Now
Feature gdpr compliance checklist 1021

Checklist: GDPR Requirements for Assessing Data Processor Controls

The GDPR consists of two components: 99 articles and 173 recitals. The articles describe the legal requirements organizations must follow to demonstrate compliance. The recitals provide supporting context to supplement the articles. The table below summarizes the Articles and Recitals relevant to a third-party risk assessment and guidance. For a complete mapping of GDPR requirements, download the Compliance Checklist.

GDPR Requirements What It Means

Article 24: Responsibility of the controller

Paragraph 1

Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.

Article 24 references two Recitals for guidance:

Recital 76: Risk assessment

The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk.

Recital 77: Risk assessment guidelines

Guidance on the implementation of appropriate measures and on the demonstration of compliance by the controller or the processor, especially as regards the identification of the risk related to the processing, their assessment in terms of origin, nature, likelihood and severity, and the identification of best practices to mitigate the risk.

When using third parties as “processors,” it is the information controller (owner) that is liable for ensuring each third party has appropriate controls in place to ensure the privacy and security of personal data.

Attempting to conduct third-party assessments using manual questionnaires and spreadsheets is inconsistent and unscalable. In the event of an audit, the ability to “demonstrate that processing is performed in accordance” with the GDPR can be challenging. Manual assessments can result in missed requirements and responses that are poorly answered or incomplete. To satisfy the GDPR requirements, assessments must be objective and scoring consistent.

Article 25: Data protection by design and by default

Paragraph 1

… the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.

Recital 78

Appropriate technical and organisational measures
In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default.

Complying with the GDPR requires deep technical understanding of data processing, data governance, and controls. While most risk assessment surveys focus on general controls and policies, the GDPR requires special treatment of personal information, including pseudonymization, data minimization, and (per Recital 78) data protection “by design and by default.”

Article 28: Processor

Paragraph 1

Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

Organizations often work with dozens of third parties with access to personal information covered by the GDPR. Examples include advertising partners, data processors (including cloud applications), and cloud hosting providers.

Compliance with the GDPR requires more than simple vendor agreements. It requires understanding how data is used, how it moves, and evidence of specific controls to protect personal data.

Article 28: Processor

Paragraph 3

That contract or other legal act shall stipulate, in particular, that the processor:

(f) assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 considering the nature of processing and the information available to the processor

Articles 32 to 36 provide the requirements for a data protection impact assessment along with continuous monitoring of critical data processors (third parties). Each processor relationship “shall be governed by a contract or other legal act” that obligates the processor to protect personal information. The required risk assessment is to identify risks to personal information and ensure the processor has adequate controls in place.

Article 28: Processor

Paragraph 3

That contract or other legal act shall stipulate, in particular, that the processor:

(h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

Be sure to maintain a complete repository of all documentation collected and reviewed during the diligence process.

Article 32: Security of Processing

Paragraph 1

The controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Recital 76: Risk Assessment

The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk.

While assessments are often viewed as an onboarding exercise, GDPR and other regulatory standards require continuous compliance. Managing a single compliance review can be challenging using manual processes. Knowing when circumstances would warrant a periodic update across dozens or hundreds of third parties across the globe is even harder.

Article 35: Data protection impact assessment

Paragraph 1

Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.

Paragraph 7

The assessment shall contain at least:

1) a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;

2) an assessment of the necessity and proportionality of the processing operations in relation to the purposes;

3) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and

4) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.

Technology evolves daily and new service offerings can provide enhanced business value. The GDPR makes clear that prior to adopting new ways of processing personal data, organizations must assess the impact of those operations on the data.

Article 45: Transfers On The Basis Of An Adequacy Decision

Paragraph 1

A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection.

Paragraph 2

Such a transfer shall not require any specific authorisation. When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements:

• the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data.

Increasingly, boards of directors, investors, and customers want to ensure organizations and their partners and suppliers share common values and commitments. The GDPR captures this in Article 45, requiring that human rights and rule of law be considered when transferring personal information.

How Prevalent Helps Meet GDPR Third-Party Risk Requirements

The Prevalent Third-Party Risk Management Platform includes built-in capabilities to assess internal and external risks to consumer data, automate the remediation of findings, and report to regulators on progress. Prevalent:

  • Offers a specific GDPR questionnaire in the Platform, querying the vendor on their technical and organizational measures to protect of the rights of the data subject per Article 28, paragraph 1.
  • Provides data controllers with a 360-degree view of data processor risks via clear and concise reporting on control failures along with recommended remediations per Article 28, paragraph 3.
  • Centralizes a data processor’s risk profile, enabling a thorough audit of processes mandated by the data controller per Article 28, paragraph 3.
  • Provides ongoing periodic or secondary assessments to continually monitor the technical and organizational measures in place by the data processor to ensure a level of security appropriate to the risk, e.g. regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing per Article 32, paragraph 1.

For more details on how Prevalent can help organizations assess their third-party data protection controls to meet GDPR requirements, read The GDPR Third-Party Compliance Checklist or request a demo today. To learn how third-party risk management applies to 20+ other regulations, download The Third-Party Risk Management Compliance Handbook.

Tags:
Leadership scott lang
Scott Lang
VP, Product Marketing
Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software. He can be reached on Twitter @scottinohio, LinkedIn and Facebook.
  • Ready to get started?
  • Schedule a personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo