GDPR Compliance and Third-Party Risk Management
Have you noticed all the cookie pop-ups on websites these days? That’s a direct credit to the General Data Protection Regulation (GDPR), a strict European Union privacy law that drove a radical shift in privacy protection at companies.
Unfortunately, for many companies, GDPR is also a stress headache waiting to happen.
Here’s the good news: GDPR compliance is possible when you have the right tools for the job. That’s where third-party risk management comes in. Here’s a closer look at what the GDPR is, what your obligations are under the law, and how third-party risk management programs can help you meet them.
What is GDPR?
The General Data Protection Regulation (GDPR) is the toughest privacy law in the world. It was passed in the European Union, but it imposes privacy restrictions on organizations across the world so long as they collect data in the EU.
If an organization does not comply with the GDPR, it faces steep penalties–including fines reaching into the tens of millions of euros. There are two penalty tiers maxing out at 20 million euros or 4% of the offender’s global revenue, whichever is higher.
Roles and Terminology in GDPR Compliance
To talk about GDPR compliance, it’s essential to understand some key terminology:
Personal data (data that relates to an individual which can be used to directly or indirectly identify them)
Data processing (any action performed on data, manual or automatic)
Data subject (the person whose data is processed)
Data controller (the person who decides how and why personal data will be processed)
Data processor (a third party who processes data on behalf of the data controller)
Another term that’s widely used in relation to GDPR practices is sub-processor. This is not an official GDPR term, but it is nonetheless important. A sub-processor is an entity that performs data processing on behalf of the data processor, essentially a fourth-party organization.
Compliance Requirements By Role
It’s important to know this terminology because the truth is that classifications are relative in the GDPR.
Let’s say that you hired a company, Company B, to assist in data processing, and they in turn hire a company, Company C, to assist in that data processing. From your perspective, Company B is a processor (i.e. third party) and Company C is a sub-processor (i.e. fourth party). However, from Company B’s perspective, Company C is a processor.
Don’t take a deep breath of relief that you don’t need to worry about distant sub-processors. Because the GDPR’s processor classifications are relative, sub-processors enter into agreements with the organization hiring them as a processor and the hiring organization as a controller. Each party would then be subject to the relevant regulations for their classification under the GDPR.
The best place to start is with the duties of the processor. Processors can only process data as directed in writing by the controller. All subprocessors must be approved by the controller in writing and prior to being engaged. Furthermore, processors accept full responsibility if the sub-processor fails to comply with the GDPR.
As such, it is the processor’s duty to ensure all data is processed in accordance with privacy laws. The processor may also help the controller (at the controller’s request) to comply with the GDPR by carrying out data protection impact assessments. Once data processing has been completed, the processor must return or delete all the data (at the discretion of the controller). The only exception is if a processor must store data to comply with another law.
While not required under law, most controllers require their processors to inform them of a data breach within 24 hours of becoming aware of the breach.
Questions to Ask
With that in mind, there are a few key questions to ask about your GDPR compliance duties:
What is my role based on GDPR classifications?
What are my external vendors’ roles relative to me?
Have I entered into Data Processing Agreements (DPAs) with my processor and all of its sub-processors in writing?
Do the DPAs meet all GDPR requirements?
Do I understand the data subject’s rights?
Have I crafted my privacy rules with the data subject’s rights in mind?
Have I reviewed my third-party vendor’s practices to ensure compliance?
What are my check-in options to ensure compliance?
Have I reviewed my third-party vendor’s privacy and data processing history to verify a strong compliance record?
What is my policy on data breaches? What is my vendor’s policy? Do we have a provision in our written agreement to address data breaches while ensuring GDPR compliance?
These are just a few basic questions to help you get started. In reality, they’re only the tip of the iceberg.
Third-Party Risk Management Programs and GDPR Compliance
If there’s one thing that’s self-evident from GDPR rules and guidelines, it’s that third-party risk management is more important than ever before.
The short version of the GDPR is that you as a data controller are held responsible for your third-party and fourth-party vendors. This means that all of their data processing practices (and their concern or lack thereof for privacy) falls on you. If it sounds like a Herculean task, that’s the whole point–the GDPR was written to force companies to turn around their whole approach to privacy.
Unfortunately, it’s difficult to keep track of all your disparate vendors at once, especially while trying to run your own company. Third-party risk management programs are the key to rendering the whole process manageable, making it easy to set the terms of your agreement, check compliance, and take action to ensure your vendors remain compliant.
We Make It Easy to Manage Risk
That’s where we come in.
GDPR compliance can be a headache, but with Privva, it’s never been easier. Instead of manually chasing down every vendor, you can automate third-party risk assessment so that you always know where you stand and where to go next. But most of all, we help you see the business value in your third-party vendors.
Ready to take a smarter approach to regulatory compliance? Get in touch today to learn how we can help.