By Brad Keller, Chair, Senior Director of Third-Party Strategy, Prevalent, Inc.
Chair, Shared Assessments Assessments VRMMM Committee
Great, yet another blog talking about the need to get ready for the European Union’s General Data Protection Regulation (GDPR). Wouldn’t it be nice if just once someone really helped me deal with GDPR instead of reminding me of all the work I must do? Well folks I’m here to do just that.
Determining vendor compliance with GDPR requires a fairly rigorous process. It starts with determining what data you provide or share with your vendors, whether it is data that is covered by GDPR and if so what requirements are associated with that type of data. Vendor contracts must be modified to include new language to define the vendors role. Since most vendors will fall under the definition of a Data Processor their responsibilities will be defined by Article 28 of GDPR (however, it is possible to be both a Data Processor and a Data Controller). I could continue with a litany of issues you’ll be faced, but that would just add to your problems not help you solve them.
The Shared Assessment’s Privacy Working Group has developed a Tool Kit to help guide you through the process. Their GDPR Data Processor Privacy Tool Kit has everything you need: the processes you need to have in place to identify and map customer data; samples of model contract provisions to get your vendor contracts in compliance; lists of documentation you’ll need to obtain; an updated privacy survey to obtain the information you need to assess your vendor’s GDPR privacy readiness; and, many other useful resource documents. The best part about the Tool Kit is that it’s free and can be downloaded on their web site https://sharedassessments.org/gdpr-tool-kit/ .
The Shared Assessments Standard Information Gathering Questionnaire (SIG) already contains the information you need to determine if your vendors have adequate IT security controls in place. Now with the help of the GDPR Processor Privacy Tool Kit addressing data privacy concerns, you’ll have what you need to make sure your vendors are ready for GDPR.