January 28th is Data Protection Day (a.k.a. Data Privacy Day), providing a focal point to the importance of respecting privacy, safeguarding data and enabling trust between data subjects and those who store, process and use their data.
In support of Data Protection Day the web site www.staysafeonline.org provides a suite of useful tools that aim to create a greater understanding of the importance of data security and privacy for consumers, businesses, organisations, schools, and non-profits.
Each year organisations take this opportunity to spotlight key risk topics for privacy in the coming year. In reviewing 2019 and the ongoing challenges for data protection in 2020, a common thread in the media landscape is the risks that Third Parties represent organisations who need to protect their customer’s sensitive data. Just take the breaches at:
Facebook – Cultura Colectiva (146GB-size data set / 540 million records), and
Marriott / Starwood (£100m fine from ICO)
to name but a few, as examples of the impact poor Third Party and outsourced supplier controls can have on your brand reputation and bottom line – be they an external agency or internal “intra-group” organisation you rely on.
GDPR Third Party Compliance and Risk Management
Changes in data protection regulations and legal standards remain top of mind for many organisations especially given the enforcement of GDPR fines and the introduction of additional regulation such as CCPA.
Many organisations find measuring compliance challenging as they are still yet to understand the complete picture of their data supply chain and the scope of current activities surrounding the controlling and processing of European Union citizens’ PII data. Access to such data is considered a transfer of data from a GDPR viewpoint, triggering the need for strong understandings of data flows, data inventories, and cross border interactions.
However, there is good news!!! There is growing evidence of a correlation between compliance and improved security.
Results from a Cisco survey indicated GDPR-compliant organisations are safer from breaches than non-compliant organisations: The percentage of GDPR-ready organisations affected by data breaches was 74% in 2018, compared to 89% of non-GDPR-ready companies. In addition, “fewer records were affected, system downtime was shorter and monetary costs were lower in GDPR-ready organisations.”
Building GDPR Third Party Compliance into your TPRM program
With GDPR rules placing joint responsibility (and liability for penalties and fines) on both parties in the case of any breach, ensuring GDPR Third Party compliance requires organisations to take proactive measures and due diligence to address risks and non-compliance.
Data processors (service providers) need to be better prepared for requests from data controllers (outsourcers), as well as to guide their own information requests to sub-processors. With 82% of surveyed organisations viewing privacy certifications as a buying factor when selecting a product or vendor in their supply chain, the ability to assure and evidence good data privacy and protection practice is fast becoming an essential commercial, as well as regulatory, activity.
Evidence to support GDPR Third Party compliance should include:
– contractual provisions and obligations for all relevant parties,
– artefacts and documentation of competence and capabilities, and
– clear attestations of policy and process implementation
which can be utilised to evaluate the readiness and maturity of the existing controls against the broad range of GDPR privacy-relevant requirements.
You’re only as Strong as your Weakest Link
Enabling outsourcers to qualify and attest to their compliance with GDPR is a critical step for IT Risk Assurance teams in ensuring the integrity and regulatory compliance of the data supply chain. That’s why DVV Solutions has created a comprehensive assessment service for GDPR Third Party compliance.
Our GDPR Third Party Risk Assessment can be delivered as a fully managed service on your behalf by our IT Security Assurance experts. We work with you to understand your data security challenges and program objectives to build the right service to suit your needs.
The GDPR Third Party Risk Assessment questionnaire covers the full breadth of exposure posed by outsourcing the processing of PII data and includes subjects such as:
- Awareness and understanding of GDPR regulations and data protection principles
- Lawfulness of processing and further processing and legitimate interests
- Consent management
- Children’s data protection, processing and management
- Sensitive data and lawful processing
- Subject access, rectification, portability and right to object processes
- Management of right to erasure and right to restriction of processing, and
- Personal data breach notifications
Adapted from industry best-practice developed by Shared Assessments – the trusted source in Third Party, comprising Third party risk management privacy professionals from across the globe – these tailored assessments help you to develop a more proactive approach to GDPR compliance – identifying risks and issues and allowing all parties to work together to mitigate any clearly validated risks before, rather than after the fact. They can be executed in isolation or added to existing IT risk assessments and then integrated into an ongoing program of Third-Party risk management.
Visit our dedicated GDPR Third Party Risk Assessment web page to find out more or:
Call Us: +44 (0) 161 476 8700
Contact Us: Complete our Contact Form, or
Learn more about What We Do
And on Data Protection Day, Stay Safe Online!