NEW WHITE PAPER: See how Prevalent TPRM Platform capabilities map to specific compliance requirements!

General Data Protection Regulation (GDPR) Compliance

Complying with GDPR

GDPR is a set of laws designed to give EU citizens more control over their personal data and increase the obligations of organizations to deal with that data in transparent and secure ways. In fact, all organizations who collect, store, process, or transfer personal data of EU citizens must comply with this regulation. These data protection obligations extend not only to organizations operating within the EU, but also to any companies outside of the EU that offer goods or services to EU residents.

GDPR and Third-Party Risk Management

To be compliant with GDPR, organizations must take necessary steps to protect citizens’ data in their care, including data that is shared with third parties. Because many data breaches occur through third-party relationships, GDPR clearly states that third parties (known as data processors) must handle data privacy and security in a way that is compliant to the regulation. In fact, under this legislation, they are legally obligated to comply with all aspects of the regulation to ensure consistency and true protection for customers. 

Under GDPR, regulatory authorities have greater power to act against companies that break this law, with fines totaling up to 4% of annual global revenue or 20 million euros, whichever is greater. It's therefore imperative to conduct due diligence of your organization's vendors, suppliers and other third parties to ensure they are adhering to GDPR requirements.


Relevant Requirements

GDPR calls for third-party risk management processes including:

  • Data privacy risk assessments for all third parties that have access to personal data
  • Continuous monitoring of critical third parties
  • Documented evidence to demonstrate compliance
  • Audit trail capabilities

White Paper: Satisfying Compliance with Third-Party Risk Management Requirements

Discover the key third-party risk management requirements in common regulatory and security frameworks, and learn how the Prevalent Third-Party Risk Management Platform maps to specific mandates enabling you to achieve compliance while mitigating vendor risk. 

Read Now

Meeting GDPR Third-Party Risk Management Requirements

Here's how Prevalent can help you address GDPR third-party risk management requirements:

General Data Protection Regulation (GDPR)

GDPR Requirements How Prevalent Helps

Article 28:  Processor

Paragraph 1

"Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”

Prevalent offers security, privacy, and risk management professionals an automated platform to manage the third-party risk assessment process and determine compliance with IT security, regulatory, and data privacy requirements, including GDPR. It employs both standard and custom questionnaires to help collect evidence and provides bi-directional remediation workflows, live reporting, and an easy-to-use dashboard for efficiency. With clear reporting and remediation guidance, the platform ensures that risks are identified and escalated to the proper channels.


Article 28:  Processor

Paragraph 3

“That contract or other legal act shall stipulate, in particular, that the processor: 

(f) assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 considering the nature of processing and the information available to the processor”

Articles 32 to 36 lay out the requirements for a data protection impact assessment along with continuous monitoring of critical data processors (third parties).  

Prevalent delivers the industry’s only purpose-built, unified platform for third-party risk management. The platform combines automated third-party assessments and continuous threat monitoring to simplify compliance, reduce security risks, and improve efficiency. The platform provides CISOs with a 360-degree view of data processor risks, via clear and concise reporting tied to specific regulations and control frameworks, including GDPR, for improved visibility and decision making. 


Article 28:  Processor

Paragraph 3

“That contract or other legal act shall stipulate, in particular, that the processor: 

(h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller."


The Prevalent Third-Party Risk Management platform includes effective reporting to satisfy audit and compliance requirements, as well as to present findings to the board and senior management. The entire risk profile can be viewed in the centralized live reporting console, and reports can be downloaded and exported to determine compliance status. Deep reporting capabilities include filters and click-through interactive charts. The solution includes a complete repository of all documentation collected and reviewed during the diligence process.


Article 28:  Processor

Paragraph 3

“Takes all measures required pursuant to Article 32”


(See below)

Article 32:  Security of Processing

Paragraph 1

"The controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.


Prevalent offers security, privacy, and risk management professionals an automated platform to manage the third-party risk assessment process and determine compliance with IT security, regulatory, and data privacy requirements, including GDPR. It employs both standard and custom questionnaires to help collect evidence and provides bi-directional remediation workflows, live reporting, and an easy-to-use dashboard for efficiency. With clear reporting and remediation guidance, the platform ensures that risks are identified and escalated to the proper channels.


The Prevalent Difference

The Prevalent Third-Party Risk Management Platform includes a GDPR questionnaire designed to assess the data management and privacy processes that GDPR requires of all data processors. It also includes a Data Mapping Assessment survey that identifies where data regulated by GDPR exists within an organization – both internally and with third-party vendors. With the platform’s unique relationship management capabilities, you can create, query, and view data inventories and processing records. This is backed by powerful analysis capabilities for determining third-party GDPR readiness, identifying necessary action items, and tracking remediation efforts.