Hero  Image  Solutions  Compliance  Gdpr

General Data Protection Regulation (GDPR) Compliance

GDPR and Third-Party Risk Management

GDPR is a set of laws designed to give EU citizens more control over their personal data and increase the obligations of organizations to deal with that data in transparent and secure ways. In fact, all organizations who collect, store, process, or transfer personal data of EU citizens must comply with this regulation. These data protection obligations extend not only to organizations operating within the EU, but also to any companies outside of the EU that offer goods or services to EU residents.

To be compliant with GDPR, organizations must take necessary steps to protect citizens’ data in their care, including data that is shared with third parties. Because many data breaches occur through third-party relationships, GDPR clearly states that third parties (known as data processors) must handle data privacy and security in a way that is compliant to the regulation. In fact, under this legislation, they are legally obligated to comply with all aspects of the regulation to ensure consistency and true protection for customers.

Under GDPR, regulatory authorities have greater power to act against companies that break this law, with fines totaling up to 4% of annual global revenue or 20 million euros, whichever is greater. It's therefore imperative to conduct due diligence of your organization's vendors, suppliers and other third parties to ensure they are adhering to GDPR requirements.

Relevant Requirements

  • Data privacy risk assessments for all third parties that have access to personal data

  • Continuous monitoring of critical third parties

  • Documented evidence to demonstrate compliance

  • Audit trail capabilities

Satisfying Third-Party Risk Management Compliance Requirements

Discover the key third-party risk management requirements in common regulatory and security frameworks, and learn how Prevalent maps to specific mandates so you can achieve compliance while mitigating vendor risk.

Read the White Paper
Hero  Image  Solutions  Compliance  Compliance  Overview

Meeting GDPR TPRM Requirements

Here's how Prevalent can help you address GDPR third-party risk management requirements:

GDPR Requirements How We Help

Article 28: Processor

Paragraph 1

"Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”

Prevalent offers security, privacy, and risk management professionals an automated platform to manage the third-party risk assessment process and determine compliance with IT security, regulatory, and data privacy requirements, including GDPR. It employs both standard and custom questionnaires to help collect evidence and provides bi-directional remediation workflows, live reporting, and an easy-to-use dashboard for efficiency. With clear reporting and remediation guidance, the platform ensures that risks are identified and escalated to the proper channels.

Article 28: Processor

Paragraph 3

“That contract or other legal act shall stipulate, in particular, that the processor:

(f) assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 considering the nature of processing and the information available to the processor”

Articles 32 to 36 lay out the requirements for a data protection impact assessment along with continuous monitoring of critical data processors (third parties).

Prevalent delivers the industry’s only purpose-built, unified platform for third-party risk management. The platform combines automated third-party assessments and continuous threat monitoring to simplify compliance, reduce security risks, and improve efficiency. The platform provides CISOs with a 360-degree view of data processor risks, via clear and concise reporting tied to specific regulations and control frameworks, including GDPR, for improved visibility and decision making.

Article 28: Processor

Paragraph 3

“That contract or other legal act shall stipulate, in particular, that the processor:

(h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller."

The Prevalent Third-Party Risk Management platform includes effective reporting to satisfy audit and compliance requirements, as well as to present findings to the board and senior management. The entire risk profile can be viewed in the centralized live reporting console, and reports can be downloaded and exported to determine compliance status. Deep reporting capabilities include filters and click-through interactive charts. The solution includes a complete repository of all documentation collected and reviewed during the diligence process.

Article 28: Processor

Paragraph 3

“Takes all measures required pursuant to Article 32”

(See below)

Article 32: Security of Processing

Paragraph 1

"The controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Prevalent offers security, privacy, and risk management professionals an automated platform to manage the third-party risk assessment process and determine compliance with IT security, regulatory, and data privacy requirements, including GDPR. It employs both standard and custom questionnaires to help collect evidence and provides bi-directional remediation workflows, live reporting, and an easy-to-use dashboard for efficiency. With clear reporting and remediation guidance, the platform ensures that risks are identified and escalated to the proper channels.

  • Ready to get started?
  • Schedule a personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo