January 24 – 28 is Data Privacy Week providing a focal point to the importance of respecting privacy, safeguarding data and enabling trust between data subjects and those who store, process and use their data.
In support of Data Protection Week the web site www.staysafeonline.org provides a suite of useful tools that aim to create a greater understanding of the importance of data security and privacy for consumers, businesses, organisations, schools, and non-profits.
Each year organisations take this opportunity to spotlight key risk topics for privacy in the coming year. In reviewing 2021 and the ongoing challenges for data protection in 2022, a common thread in the media landscape is the risks that 3rd Parties represent organisations who need to protect their customer’s sensitive data.
Kesaya and SolarWinds are classic as examples of the impact poor 3rd party and outsourced supplier controls can have on your brand reputation and bottom line – be they an external agency or internal “intra-group” organisation you rely on.
GDPR 3rd Party Compliance and Risk Management
Changes in data protection regulations and legal standards remain top of mind for many organisations especially given the enforcement of EU General Data Protection Regulations (GDPR) on 25th May 2018.
In addition, a recent study, the True Cost of Compliance with Data Protection Regulations, by the Ponemon Institute and Globalscape, 90% of respondents viewed GDPR compliance as the most difficult to achieve, surpassing even PCI DSS standards.
Many organisations find measuring GDPR compliance challenging as they are still yet to understand the complete picture of their data supply chain and the scope of current activities surrounding the controlling and processing of European Union citizens’ PII data. Access to such data is considered a transfer of data from a GDPR viewpoint, triggering the need for strong understandings of data flows, data inventories, and cross border interactions.
Building GDPR & UK DPA 3rd Party Compliance into your TPRM program
The concept of knowing where your data is becomes an even more crucial part of compliance when looking at the 3rd party ecosystem of outsourcing partners and service providers.
With GDPR rules placing joint responsibility (and liability for penalties and fines) on both parties in the case of any breach, ensuring GDPR 3rd Party compliance requires organisations to take proactive measures and due diligence on their supply chain. Data processors (service providers) should be prepared for requests from data controllers (outsourcers), as well as to guide their own information requests to sub-processors.
Evidence to support GDPR 3rd Party compliance should include:
– contractual provisions and obligations for all relevant parties,
– artefacts and documentation of competence and capabilities, and
– clear attestations of policy and process implementation
which can be utilised to evaluate the readiness and maturity of the existing controls against the broad range of GDPR privacy-relevant requirements.
You’re only as Strong as your Weakest Link
Enabling outsourcers to qualify and attest to their compliance with GDPR is a critical step for IT Risk Assurance teams in ensuring the integrity and regulatory compliance of the data supply chain. That’s why DVV Solutions has created a comprehensive assessment service for GDPR 3rd Party compliance.
The GDPR 3rd Party Risk Assessment can be delivered via our cloud-based Supplier Risk Manager platform for your team to execute or as a fully managed service on your behalf by our IT Security Assurance experts. We work with you to understand your data security challenges and program objectives to build the right service to suit your needs.
The GDPR 3rd Party Risk Assessment questionnaire covers the full breadth of exposure posed by outsourcing the processing of PII data and includes subjects such as:
- Awareness and understanding of GDPR regulations and data protection principles
- Lawfulness of processing and further processing and legitimate interests
- Consent management
- Children’s data protection, processing and management
- Sensitive data and lawful processing
- Subject access, rectification, portability and right to object processes
- Management of right to erasure and right to restriction of processing, and
- Personal data breach notifications
Adapted from industry best-practice templates developed by Shared Assessments – a leading global group of 3rd party risk management privacy professionals across a variety of industries, these tailored assessments help you to develop a more proactive approach to GDPR compliance – identifying risks and issues and allowing all parties to work together to mitigate any clearly validated risks before, rather than after the fact. They can be executed in isolation or added to existing IT risk assessments and then integrated into an ongoing program of 3rd Party risk management.
Visit our dedicated GDPR Third Party Risk Assessment web page to find out more or:
Call Us: +44 (0) 161 476 8700
Contact Us: Complete our Contact Form, or
Learn more about What We Do