Editor’s Note: In this week’s edition of our blog series, Third-Party Risk Management: How to Stay Off the Regulatory Radar, we take a look at the General Data Protection Regulation (GDPR) Article 28 and Article 32 requirements related to third parties. Please be sure to review all the blogs in this series, and download the white paper for a complete examination of requirements.
GDPR is a set of laws designed to give EU citizens more control over their personal data and increase the obligations of organizations to deal with that data in transparent and secure ways. In fact, all organizations that collect, store, process, or transfer personal data of EU citizens – whether they operate within the EU or outside of the EU offering goods or services to EU residents – must comply with this regulation.
To be compliant with GDPR provisions in Article 28 and Article 32, organizations must take necessary steps to protect citizens’ data in their care, including data that is shared with third parties. Because many data breaches occur through third-party relationships, GDPR clearly states that third parties (known as data processors) must handle data privacy and security in a way that is compliant to the regulation. In fact, under this legislation, they are legally obligated to comply with all aspects of the regulation to ensure consistency and true protection for customers.
Accordingly, organizations should perform due diligence initiatives on a regular basis to ensure their third parties are actively engaged with GDPR requirements. Processes should include:
- Data privacy risk assessments for all third parties that have access to personal data
- Continuous monitoring of critical third parties
- Documented evidence to demonstrate compliance
- Audit trail to ensure all documentation is available for forensic investigation
GDPR is far-reaching and impacts all industries. Organizations should take proactive measures and upgrade their third-party risk frameworks as per GDPR compliance to mitigate data privacy risk.
Meeting GDPR Third-Party Risk Requirements
For the purposes of this blog, we have summarized select GDPR requirements and identified Prevalent Third-Party Risk Management Platform capabilities that demonstrate the breadth and value you can gain from our complete TPRM platform. For a complete listing of the GDPR requirements and how Prevalent capabilities map directly into them, please be sure to download the white paper, Satisfying Compliance with Third-Party Risk Management Requirements.
To address GDPR requirements, Prevalent:
- Offers a specific GDPR questionnaire in the Prevalent platform, querying the vendor on their technical and organizational measures to protect of the rights of the data subject per Article 28, paragraph 1.
- Provides data controllers with a 360-degree view of data processor risks via clear and concise reporting on control failures along with recommended remediations per Article 28, paragraph 3.
- Centralizes a data processor’s risk profile, enabling a thorough audit of processes mandated by the data controller per Article 28, paragraph 3.
- Provides ongoing periodic or secondary assessments to continually monitor the technical and organizational measures in place by the data processor to ensure a level of security appropriate to the risk, e.g. regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing per Article 32, paragraph 1.
How Prevalent Helps Address Third Party Risk GDPR Guidelines
Maintaining GDPR compliance takes time and vigilance, especially when it comes to managing the relationship between organizations (data controllers) and their third parties (data processors). The regulation states that a policy for managing data privacy should be in place and contractually agreed upon by the controller and processor. Data processors should be assessed to comply with necessary GDPR privacy focused operational processes to ensure they have required processes in place.
Prevalent offers a GDPR questionnaire available in the platform to determine third-party readiness across all GDPR components. The survey gathers information and documentation on all the data management and privacy operational processes a data processor needs to have in place for GDPR, based on the type of EU data they access. All answers can then be analyzed within the Prevalent platform to determine a third party’s level of readiness for GDPR; identify any necessary action items; and track remediation efforts.
The Prevalent platform also includes a Data Mapping Assessment survey that identifies where data regulated by GDPR exists within an organization – both internally and with third-party vendors. It provides a clear picture of what the data is; how it comes into the organization; how it is used and stored; and who it is shared with outside the organization. With the platform’s unique relationship management capabilities, organizations can create, query, and view data inventories and processing records. Combined with Prevalent’s vendor assessment functionality, this delivers a comprehensive, internal and external view of compliance and related processes.
Our Series Continues…
Next week’s blog examines the European Banking Authority’s (EBA’s) framework for financial institutions that are subject to the Capital Requirements Directive (CRD), and what outsourcing arrangement controls are in place.