Originally passed into law in May 2018, the General Data Protection Regulation (GDPR) is a privacy law that governs the use, movement, and protection of data collected on European Union (EU) citizens. The GDPR covers any organization that collects, stores, processes, or transfers personal data on individuals in Europe, regardless of the organization’s location.
Because third parties are often responsible for managing personal data on behalf of their customers, organizations must take special care in ensuring those vendors and partners have data protection controls and governance in place. This involves conducting data privacy controls assessments; analyzing the results for potential risks; and requiring third parties remediate those risks to avoid regulatory, financial, and reputational exposures.
The EU aggressively enforces the GDPR, with several notable sanctions levied against companies with third-party failures, including:
This post summarizes why organizations should care about GDPR and how they can assess their internal processes and third-party relationships against GDPR requirements.
To protect themselves from risk, organizations are required by the GDPR to conduct risk assessments to identify risks both inside the organization and with any third party that will have access to personal data. Recital 76 – Risk Assessment – states that, “Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk.”
Organizations subject to GDPR regulations must ensure that they and their third parties protect the privacy of any personal information collected and/or processed. This means conducting a thorough evaluation of the risks present in each third party and ensuring that appropriate controls are in place to mitigate risk.
The GDPR Third-Party Compliance Checklist
Read this report to understand third-party considerations in the General Data Protection Regulation (GDPR) and discover how to include GDPR risk assessments in your broader TPRM initiatives.
The GDPR consists of two components: 99 articles and 173 recitals. The articles describe the legal requirements organizations must follow to demonstrate compliance. The recitals provide supporting context to supplement the articles. The table below summarizes the Articles and Recitals relevant to a third-party risk assessment and guidance. For a complete mapping of GDPR requirements, download the Compliance Checklist.
GDPR Requirements | What It Means |
---|---|
Article 24: Responsibility of the controller Paragraph 1 Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary. Article 24 references two Recitals for guidance: Recital 76: Risk assessment The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk. Recital 77: Risk assessment guidelines Guidance on the implementation of appropriate measures and on the demonstration of compliance by the controller or the processor, especially as regards the identification of the risk related to the processing, their assessment in terms of origin, nature, likelihood and severity, and the identification of best practices to mitigate the risk. |
When using third parties as “processors,” it is the information controller (owner) that is liable for ensuring each third party has appropriate controls in place to ensure the privacy and security of personal data. Attempting to conduct third-party assessments using manual questionnaires and spreadsheets is inconsistent and unscalable. In the event of an audit, the ability to “demonstrate that processing is performed in accordance” with the GDPR can be challenging. Manual assessments can result in missed requirements and responses that are poorly answered or incomplete. To satisfy the GDPR requirements, assessments must be objective and scoring consistent. |
Article 25: Data protection by design and by default Paragraph 1 … the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. Recital 78 Appropriate technical and organisational measures |
Complying with the GDPR requires deep technical understanding of data processing, data governance, and controls. While most risk assessment surveys focus on general controls and policies, the GDPR requires special treatment of personal information, including pseudonymization, data minimization, and (per Recital 78) data protection “by design and by default.” |
Article 28: Processor Paragraph 1 Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject. |
Organizations often work with dozens of third parties with access to personal information covered by the GDPR. Examples include advertising partners, data processors (including cloud applications), and cloud hosting providers. Compliance with the GDPR requires more than simple vendor agreements. It requires understanding how data is used, how it moves, and evidence of specific controls to protect personal data. |
Article 28: Processor Paragraph 3 That contract or other legal act shall stipulate, in particular, that the processor: (f) assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 considering the nature of processing and the information available to the processor |
Articles 32 to 36 provide the requirements for a data protection impact assessment along with continuous monitoring of critical data processors (third parties). Each processor relationship “shall be governed by a contract or other legal act” that obligates the processor to protect personal information. The required risk assessment is to identify risks to personal information and ensure the processor has adequate controls in place. |
Article 28: Processor Paragraph 3 That contract or other legal act shall stipulate, in particular, that the processor: (h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller. |
Be sure to maintain a complete repository of all documentation collected and reviewed during the diligence process. |
Article 32: Security of Processing Paragraph 1 The controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including: (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. Recital 76: Risk Assessment The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk. |
While assessments are often viewed as an onboarding exercise, GDPR and other regulatory standards require continuous compliance. Managing a single compliance review can be challenging using manual processes. Knowing when circumstances would warrant a periodic update across dozens or hundreds of third parties across the globe is even harder. |
Article 35: Data protection impact assessment Paragraph 1 Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks. Paragraph 7 The assessment shall contain at least: 1) a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller; 2) an assessment of the necessity and proportionality of the processing operations in relation to the purposes; 3) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and 4) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned. |
Technology evolves daily and new service offerings can provide enhanced business value. The GDPR makes clear that prior to adopting new ways of processing personal data, organizations must assess the impact of those operations on the data. |
Article 45: Transfers On The Basis Of An Adequacy Decision Paragraph 1 A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Paragraph 2 Such a transfer shall not require any specific authorisation. When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements: • the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data. |
Increasingly, boards of directors, investors, and customers want to ensure organizations and their partners and suppliers share common values and commitments. The GDPR captures this in Article 45, requiring that human rights and rule of law be considered when transferring personal information. |
The Prevalent Third-Party Risk Management Platform includes built-in capabilities to assess internal and external risks to consumer data, automate the remediation of findings, and report to regulators on progress. Prevalent:
For more details on how Prevalent can help organizations assess their third-party data protection controls to meet GDPR requirements, read The GDPR Third-Party Compliance Checklist or request a demo today. To learn how third-party risk management applies to 20+ other regulations, download The Third-Party Risk Management Compliance Handbook.
Enhanced cybersecurity supply chain risk management guidance has arrived with the final NIST CSF 2.0. Check...
09/25/2024
Learn how integrating the NIST Privacy Framework with third-party risk management (TPRM) helps organizations enhance data...
09/12/2024
Consider these best practices to ensure third-party service providers adequately protect your customer NPI data.
09/04/2024