DVV Solutions, specialists in Third Party Risk Management, has launched a new set of GDPR Third Party Risk Assessment questionnaires specifically designed to test the compliance of Third Party data processors with EU GDPR Regulations.
The questionnaire sets are designed to scrutinise the controls, policies and procedures each Third Party has in place and enable clients to determine the state of each supplier’s readiness for GDPR. With GDPR rules placing joint responsibility (and liability for penalties and fines) on both parties in the case of any breach, the GDPR Third Party Risk Assessment enables organisations to take proactive measures to address risks and non-compliance before and after 25th May 2018 when the new regulations and larger potential sanctions come into effect.
Sean O’Brien, Director, DVV Solutions commented “We recognised the unique and specific challenges GDPR poses to both clients, as ‘data controllers’ and their outsourced business partners as ‘data processors’. Enabling outsourcers to qualify and attest to their compliance with GDPR is a critical step for IT Risk Assurance teams in ensuring the integrity and regulatory compliance of the data supply chain. These tailored questionnaires are an ideal solution and can be executed in isolation or added to existing IT risk assessments and then integrated into an ongoing program of IT supplier risk assessment.”
The GDPR Third Party Risk Assessment is automated through DVV Solutions’ Supplier Risk Manager platform which is built upon the industry-standard Shared Assessment SIG and SIG Lite Third Party risk assessment process. Users can manage the seamless delivery, collation and analysis of multiple assessments all through one simple user interface.
The assessment covers the full breadth of exposure posed by outsourcing the processing of PII data and includes subjects such as:
- Awareness and understanding of GDPR regulations and data protection principles
- Lawfulness of processing and further processing and legitimate interests
- Consent management
- Children’s data protection, processing and management
- Sensitive data and lawful processing
- Subject access, rectification, portability and right to object processes
- Management of right to erasure and right to restriction of processing, and
- Personal data breach notifications
Sean O’Brien concluded “With the clock continuing to tick down to the launch of GDPR in May 2018 these GDPR Third Party Risk Assessments will help to fill the gap in many GDPR programs where the assurance and compliance of Third Parties is often left down to a basic check and update of contractual terms. But this only helps to identify liability after a breach and potentially significant financial and reputational damage has occurred. In line with the ICO’s guidance for implementation of “best-practice” the GDPR Third Party Risk Assessment develops a more proactive approach to GDPR compliance – identifying risks and issues and allowing both parties to work together to mitigate any clearly validated risks before, rather than after the fact.”