GDPR and Third Party Data Processor Risk
On May 25th 2018 the biggest change to data protection law in 20 years will kick in. The EU General Data Protection Regulation (GDPR).
You know the risks. Any breach of Personally Identifiable Information (PII) can result in new penalties of fines of up to 4% of Annual Global Revenue or 20 Million Euros – whichever is higher.
Most companies that are impacted have compliance initiatives underway. However, there’s one essential element that many are STILL not fully addressing – GDPR Third Party Data Processor Risk.
Whether PII data is shared and processed by a Third Party for Customer-related (e.g. Sales and Marketing, Credit Checking, Service and Support) or Employee-related (e.g. outsourced HR, Payroll) activity, you as the “data controller” have ultimate responsibility for what happens to it.
“The controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject,” GDPR’s Article 28.
In GDPR verbiage, “data controllers” must ensure the due diligence and security practices of the Third Party data processors they share PII data with, AND, crucially they (that means YOU!) assume joint responsibility for what happens to it. This means that YOU will be held liable if one of your chosen Third Party data processor gets breached as a result of them failing to meet GDPR requirements and your Customer or Employee PII data gets compromised.
You’re only as strong as your weakest link
Industry reports suggest over 60% of IT security breaches occur via a Third Party. So as organisations of all sizes become more dependent upon Third Party data processors to manage and process their most critical information, understanding the key policies, security practices, and other key controls their suppliers use to protect this information becomes critical to operational efficiency AND regulatory compliance.
Easy to say, but challenging to do, as Sean O’Brien DVV Solutions Managing Director explains: “Many organisations are not able to adequately defend their selection of external data processors or understand the Third Party data processor risk associated with their operations. The task of performing due diligence and risk modelling on Third Parties can be time consuming, resource intensive and cost prohibitive but that’s not going to wash with regulatory bodies once GDPR kicks in May.”
That’s where services such as DVV Solutions’ GDPR Third Party Risk Assessment can help.
Thorough analysis of Third Party Data Processor Risk & GDPR compliance
The GDPR Third Party Risk Assessment is delivered as a fully managed service on your behalf by our IT Security Assurance experts and covers the full breadth of exposure posed by outsourcing the processing of PII data to Third Party data processors and includes subjects such as:
- Awareness and understanding of GDPR regulations and data protection principles
- Lawfulness of processing and further processing and legitimate interests
- Children’s data protection, processing and management
- Sensitive data and lawful processing
- Subject access, rectification, portability and right to object processes
- Management of right to erasure and right to restriction of processing, and
- Personal data breach notifications
- Profiling and automated decision-taking
- Data governance obligations
- Transfers of personal data processes, and
- Codes of conduct and certifications
With the clock continuing to tick down to the launch of GDPR on 25th May 2018 these GDPR Third Party Risk Assessments will help to fill the gap in many GDPR programs where the assurance and compliance of Third Party data processors is often left down to a basic check and update of contractual terms. Though important contractual commitments only helps to identify liability after a breach and potentially significant financial and reputational damage has occurred.
In line with the ICO’s guidance for implementation of “best-practice” the GDPR Third Party Risk Assessment develops a more proactive approach to GDPR compliance – identifying risks and issues and allowing both parties to work together to mitigate any clearly validated risks before, rather than after the fact.
Visit our GDPR Third Party Risk Assessment page to find out more or:
Call Us: +44 (0) 161 476 8700
Contact Us: Complete our Contact Form, or
For the latest information GDPR regulation and compliance DVV Solutions suggests visiting the Information Commissioner’s Office (ICO) dedicated website.