A few thoughts from our Guide to GDPR and Third Party Risk. DVV Solutions were privileged to host a panel discussion at ILTA INSIGHT Summit 2017 last week in London. Titled “GDPR and the Supplier IT Risk Landscape” the panel offered some interesting insight into the impacts of GDPR from the perspectives of an IT Supplier Manager within the legal sector, a major cloud-based software/service vendor, and ourselves as managed service providers.
It was also good to hear some of the potentially positive outcomes of GDPR for businesses. Whilst GDPR is an obvious compelling event to clear out and clean up outdated data privacy and security practices it also represents an opportunity to improve the service and value we offer clients.
Driven by the demand and volume for third party due diligence created by GDPR, new innovative services that support greater insight and management of Third Party Risk are also emerging – such as Shared Evidence Networks and Automation solutions. These are also creating significant commercial advantages – driving down costs and improving scalability for what has historically been a very resource, time and labour-intensive process for Risk Assurance teams.
The countdown continues…
Given 25th May 2018 is fast approaching (now only 6 months away!!!) it is interesting to note that despite the best of intentions, media coverage and collective awareness of GDPR still much needs to be done to get our houses in order to be ready and fully GDPR compliant.
Whilst specific and prescriptive advice on “best practice” implementation from the ICO remains unclear, three things are certain:.
! GDPR is coming on 25th May 2018
– not even Brexit will save you!
! The potential penalties for a breach are severe
– up to €20m or 4% of global revenue, whichever is greater
! Delegating data processing does not delegate liability
– You can be held jointly liable for a breach of a Third Party supplier
This last point on the risk and liabilities surrounding external data processors is possibly the most pertinent and potentially largest gap in the planning and execution of GDPR compliance programs.
You’re only as Strong as your Weakest link
If you think you’ve got GDPR and your Third Parties covered just ask yourself:
Do you have a full and complete register of ALL your Third Party IT suppliers, what they do and the contracts you have in place? Especially those that would fall under the remit of “data processors” and/or requiring GDPR compliance?
How likely is it you have an external supplier providing a data processing application or service that has not gone through your formal vetting process? This could be a web app, telemarketing agency, lead generation email service, payment processor, cloud-based service etc.
How confident are you that your Sales, Marketing, HR, Payroll or other internal department haven’t signed up to a Third Party service provider that has not provided any assurance or contractual obligation to deliver the minimum levels of data privacy and security GDPR demands?
So, do you still think you’ve covered all your Third Party bases?
Your Quick Guide to GDPR compliance of
Third Party IT Suppliers
To help you understand the challenges and opportunities in Third Party Supplier risk and GDPR compliance we have developed a “Quick Guide to GDPR and Third Party Risk“. The Guide provides you with the building blocks to ensure your GDPR compliance program includes your Third Party IT suppliers and also offers recommendations on how to change the perception of GDPR compliance – from a box-ticking exercise and ‘cost of doing business’ to an investment in value-add commercial differentiators.
DVV Solutions have also developed a series of simple and straightforward GDPR Third Party risk assessments to help you understand and evidence your suppliers’ (and therefore YOUR) current levels of compliance with GDPR and continuously monitor the threat landscape. Our team of certified IT Security Assurance Consultants can also recommend and help action remediation plans to mitigate any risks to your data security and privacy.
We’d be pleased to hear from you and help find the most cost-effective way to achieve full GDPR compliance throughout your data supply chain.
Download: Quick Guide to GDPR and Third Party Risk
Call Us: +44 (0) 161 476 8700
Contact Us: Complete our online contact form