A few thoughts on GDPR and Third Party Risk – A year today, on May 25th 2018 the biggest change to data protection law in 20 years will kick in. The EU General Data Protection Regulation (GDPR) is its replacement.
By now you know the risks – any breach of Personally Identifiable Information (PII) can result in new penalties of fines of up to 4% of Annual Global Revenue or 20 Million Euros – whichever is higher.
Most companies that are impacted have compliance initiatives underway. However, there’s one essential element that many are STILL not fully addressing – GDPR and Third Party Risk. Whether PII data is shared and processed by a Third Party for Customer-related (e.g. Sales and Marketing, Credit Checking, Service and Support etc.) or Employee-related (outsourced HR, Payroll etc) activity, you as the “Data Controller” have ultimate responsibility for what happens to it.
“The controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject,” GDPR’s Article 28.
In GDPR verbiage, “data controllers” must ensure the due diligence and security practices of the “data processors” they share PII data with, AND, crucially they (that means YOU!) assume joint responsibility for what happens to it. This means that YOU will be held liable if one of your chosen Third-Parties gets breached as a result of them failing to meet GDPR requirements and as a result your Customer or Employee PII data gets compromised.
Industry reports suggest over 60% of IT security breaches occur via a Third-Party. So as organisations of all sizes become more dependent upon Third-Party supplier relationships to manage and process their most critical information, understanding the key policies, security practices, and other key controls their suppliers use to protect this information becomes critical to operational efficiency AND regulatory compliance.
Easy to say, but challenging to do, as Sean O’Brien DVV Solutions Managing Director explained: “Many organisations are not able to adequately defend their selection of Third-Party suppliers and partners or their ongoing use. The mere task of performing due diligence and risk modelling on Third-Parties is cost prohibitive and beyond the ability of most organisations. But that’s not going to wash with regulatory bodies once GDPR kicks in May 2018.”
That’s where services such as DVV Solutions’ SupplierAssess can help. SupplierAssess is a managed service that allows companies to supplement their existing Third-Party supplier risk management program by leveraging DVV Solutions expertise in performing remote and on-site Third-Party assessments. The managed service is a subscription based service which uses industry best practices to allow companies to scale their IT and non-IT Third-Party supplier risk assessments without the need for additional staff or resources.
“SupplierAssess offers our Customers the assistance they need to ensure an effective approach to managing the impact of GDPR and Third Party Risk. By supporting their due diligence on their Third Party suppliers’ security, practices and IT environments, we can help our Customers to identify any inherent risks in their supplier estate and take the necessary actions to mitigate any risk to Customer and Employee data ahead of GDPR in May 2018.” outlined Sean O’Brien.
The clock is ticking! If you are interested in finding out more about DVV Solutions, or information about our Services and Solutions to managing GDPR and Third Party Risk assessments, please contact us now and we will be happy to speak with you.
For the latest information and guidance on GDPR and Third Party Risk, DVV Solutions suggests visiting the Information Commissioner’s Office (ICO) dedicated website
If you are interested in finding out more about DVV Solutions, or information about our SupplierAssess – Third Party Risk Assessment service, please contact us now and we will be happy to speak with you.