January 28th 2019 is Data Protection Day (a.k.a. Data Privacy Day), providing a focal point to the importance of respecting privacy, safeguarding data and enabling trust between data subjects and those who store, process and use their data.
In support of Data Protection Day the web site www.staysafeonline.org provides a suite of useful tools that aim to create a greater understanding of the importance of data security and privacy for consumers, businesses, organisations, schools, and non-profits.
Each year organisations take this opportunity to spotlight key risk topics for privacy in the coming year. In reviewing 2018 and the ongoing challenges for data protection in 2019, a common thread in the media landscape is the risks that 3rd Parties represent organisations who need to protect their customer’s sensitive data. Just take the breaches at:
British Airways (380,000 customer payments intercepted),
Dixons Carphone (10 million customer records accessed),
Uber (£385k fine from ICO) and
Equifax (£500k fine from ICO),
to name but a few, as examples of the impact poor 3rd party and outsourced supplier controls can have on your brand reputation and bottom line – be they an external agency or internal “intra-group” organisation you rely on.
Personally Identifiable Information (PII) remains Top Information Risk
In 2018, the International Association of Privacy Professionals (IAPP) conducted its second annual study of the disclosure statements of 150 publicly traded companies that shows 100% of these companies identified cyber attacks in their most recent 10-K reports as current and ongoing risks, up from 86% from the prior year.
The loss of customer or employee PII remains at the top of the disclosed information-related risks at 87% with reputation harm the greatest potential consequence at 95%.
After the risk of a cyber-attack, the #2 risk concern at 69% for surveyed companies was information loss or misuse by business partners or other 3rd Parties. That was a jump of 22% over the first report, which emphasises the criticality of 3rd Party oversight and 3rd Party risk management (TPRM).
GDPR 3rd Party Compliance and Risk Management
Changes in data protection regulations and legal standards remain top of mind for many organisations especially given the enforcement of EU General Data Protection Regulations (GDPR) on 25th May 2018.
In addition, a recent study, the True Cost of Compliance with Data Protection Regulations, by the Ponemon Institute and Globalscape, 90% of respondents viewed GDPR compliance as the most difficult to achieve, surpassing even PCI DSS standards.
Many organisations find measuring GDPR compliance challenging as they are still yet to understand the complete picture of their data supply chain and the scope of current activities surrounding the controlling and processing of European Union citizens’ PII data. Access to such data is considered a transfer of data from a GDPR viewpoint, triggering the need for strong understandings of data flows, data inventories, and cross border interactions.
Building GDPR 3rd Party Compliance into your TPRM program
With GDPR rules placing joint responsibility (and liability for penalties and fines) on both parties in the case of any breach, ensuring GDPR 3rd Party compliance requires organisations to take proactive measures and due diligence to address risks and non-compliance beyond 25th May 2018. Data processors (service providers) need to prepare for requests from data controllers (outsourcers), as well as to guide their own information requests to sub-processors.
Evidence to support GDPR 3rd Party compliance should include:
– contractual provisions and obligations for all relevant parties,
– artefacts and documentation of competence and capabilities, and
– clear attestations of policy and process implementation
which can be utilised to evaluate the readiness and maturity of the existing controls against the broad range of GDPR privacy-relevant requirements.
You’re only as Strong as your Weakest Link
Enabling outsourcers to qualify and attest to their compliance with GDPR is a critical step for IT Risk Assurance teams in ensuring the integrity and regulatory compliance of the data supply chain. That’s why DVV Solutions has created a comprehensive assessment service for GDPR 3rd Party compliance.
The GDPR 3rd Party Risk Assessment can be delivered via our cloud-based Supplier Risk Manager platform for your team to execute or as a fully managed service on your behalf by our IT Security Assurance experts. We work with you to understand your data security challenges and program objectives to build the right service to suit your needs.
The GDPR 3rd Party Risk Assessment questionnaire covers the full breadth of exposure posed by outsourcing the processing of PII data and includes subjects such as:
- Awareness and understanding of GDPR regulations and data protection principles
- Lawfulness of processing and further processing and legitimate interests
- Consent management
- Children’s data protection, processing and management
- Sensitive data and lawful processing
- Subject access, rectification, portability and right to object processes
- Management of right to erasure and right to restriction of processing, and
- Personal data breach notifications
Adapted from industry best-practice templates developed by Shared Assessments – a leading global group of 3rd party risk management privacy professionals across a variety of industries, these tailored assessments help you to develop a more proactive approach to GDPR compliance – identifying risks and issues and allowing all parties to work together to mitigate any clearly validated risks before, rather than after the fact. They can be executed in isolation or added to existing IT risk assessments and then integrated into an ongoing program of 3rd Party risk management.
Visit our dedicated GDPR Third Party Risk Assessment web page to find out more or:
Call Us: +44 (0) 161 476 8700
Contact Us: Complete our Contact Form, or
Learn more about What We Do
And on Data Protection Day, Be Safe Online, and – if you haven’t already – get started on your plan for complete GDPR readiness!