Gartner Critical Capabilities for IT Vendor Risk Management
The General Data Protection Regulation (GDPR) is a major change in the EU’s data protection and privacy laws. It dramatically expands the companies accountable under EU regulation – including in its reach all companies who collect or possess data on EU residents, regardless of where the organization is based. In addition, it gives regulatory authorities greater power to act against companies that break this law, with fines totaling up to 4% of annual global revenue or 20 million euros.
A Data Controller is an organization who determines (either alone or jointly with others) the personal data to be collected, and the manner in which that data is to be used, stored, or processed. In addition to their own control environment, Data Controllers are held responsible for ensuring that proper controls and processes are in place for all third parties who interact with personal data (Data Processors). This includes not only security controls and privacy practices, but also data breaches which must be reported to the authorities within 72 hours of becoming aware of the breach.
Because GDPR holds all Data Controllers directly responsible for their third parties who collect, store, or process personal data, organizations must significantly enhance their third party management (TPRM) programs to ensure that vendors have the appropriate data management and operational processes in place. To determine GDPR compliance, Data Controllers must assess vendor data management and privacy practices including all data processing activities.
A first step for all Data Controllers is to implement a third party risk management solution to effectively identify all third parties who have access to EU data and quickly establish controls for each identified vendor based on the type of EU data they access.
Data Controllers must then determine if their vendors have appropriate data management processes in place to comply with GDPR requirements. A comprehensive assessment of vendors data management practices and necessary GDPR privacy focused operational processes must be completed to ensure that vendors have required processes in place. In addition to GDPR data privacy requirements, vendors must also be assessed and continuously monitored to determine if they have all necessary IT security controls in place to prevent unauthorized access to data and systems.
Prevalent offers the only solution that combines both vendor assessment and continuous monitoring to provide you with the tools you need to determine your vendors level of readiness for GDPR. Be prepared for GDPR and build your comprehensive Third Party Risk Management program with Prevalent.
Learn about our products and best practices in the industry.