A few thoughts on GDPR and Managing Third Party Risk – Today marks the 2 year countdown until EU General Data Protection Regulations (GDPR) come into full effect.
GDPR will expand and extend the current data protection requirements for anyone processing Personally Identifiable Information (PII). The regulation introduces some tough new penalties of fines of up to 4% of Annual Global Revenue or 20 Million Euros – whichever is higher. With such huge potential implications, as well as damage to reputation and brand that comes from serious breaches of PII, it is important to be ahead of the game.
Most companies that are impacted will have compliance initiatives underway. However, there’s one essential element that many are not fully addressing – GDPR and Managing Third Party Risk. Industry reports suggest over 60% of IT security breaches occur via a Third-Party. So as organisations of all sizes become more dependent upon Third-Party supplier relationships to manage and process their most critical information, understanding the key policies, security practices, and other key controls their suppliers use to protect this information becomes critical to operational efficiency AND regulatory compliance.
Managing hundreds to thousands of suppliers, outsourcers and other third-party relationships is difficult in the best of financial times. With shrinking budgets and fewer staff, how can Third-Party risk management be performed correctly?
These same shrinking budgets are forcing more companies to cut costs by outsourcing critical processes and systems containing confidential information. This makes the challenge of complying with GDPR and managing Third Party risk even more difficult.
Business and regulatory mandates are pressuring C-level officers to focus on compliance and privacy requirements. This detracts resources from business operations and revenue generation. Moreover, the lack of standards or acceptable metrics to assess risk serves as a constant distraction for Third-Party completing multiple audits for their clients. Sometimes these audits are performed hundreds of times per year, costing the Third-Party time, money and the opportunity cost of not applying human capital to other projects.
Establishing a Third-Party risk management program is a challenging undertaking. The process increases in complexity because of the large number of participants from the enterprise (e.g. procurement, information and physical security, legal and regulatory compliance) and the Third-Party (e.g. sales, security, information technology, legal and human resources).
These seven steps are key for establishing a cost-effective Third-Party risk management program: –
- Corporate Governance: The place to start is with a strong internal governance system and policies. Establishing a corporate-wide policy creates a solid foundation for the program. It is required before you can get all the organisations within the business to participate.
- Supplier Contracts: Contracts are the starting point from a Third-Party management perspective. Getting the necessary terms and conditions agreed upon is imperative from the beginning of the relationship. Key areas of consideration are “right to audit” and “security requirements”.
- Risk Assessments: There are three components of a complete Third-Party risk assessment: relationship risk, business profile risk and control risk. To perform due diligence, it is necessary to know what to review and what evidence to gather. When performing a risk assessment, there are a number of high-risk controls to measure, and certain red flags that will alert the auditor to problems.
- Remote Audit: Remote Audit or put simply the use of a questionnaire to gather key information about your Third-Party is an essential first step in the evidence gathering process. However there are pitfalls here, as this is a resource hungry process and the results can be varied.
- Onsite Audit: The key to an effective on-site audit is being prepared. Establish an audit plan that focuses the due diligence effort on critical areas that will result in correctable high impact findings. Watch for “red flags” that may indicate possible problems within the Third-Party’s environment.
- Reporting: Concise audit results are critical in providing guidance for the different areas within the organisation to review (e.g. procurement, legal and security). The organisation should review the risks identified in the report and require the Third-Party to correct areas of weak control to be in compliance with organisational requirements.
- Risk Monitoring: Ongoing risk monitoring or Continuous Monitoring is required to keep abreast of any significant changes to your Third-Party’s environment. Key areas to monitor include the company’s financial health, business continuity plans and security controls. A sudden change in any of these areas could significantly increase the risk the Third-Party poses to the organisation.
Many organisations are not able to adequately defend their selection of Third-Party suppliers and partners or their ongoing use. The mere task of performing due diligence and risk modelling on Third-Parties is cost prohibitive and beyond the ability of most organisations. That’s where DVV Solution can help. We have a range of services for scalable, cost-effective and automated solutions to the challenge of assessing and managing Third-Party risk.
If you are interested in finding out more about DVV Solutions, or information about our Services and Solutions to support GDPR and managing Third Party risk and risk assessments, please contact us now and we will be happy to speak with you.
For the latest information and guidance on GDPR, DVV Solutions suggests visiting the Information Commissioner’s Office (ICO) dedicated website at: https://ico.org.uk/for-organisations/data-protection-reform/