As the European Union’s (EU’s) General Data Protection Regulation (GDPR) May 25 effective date approached this spring, its sweeping compliance requirements socked U.S. companies with major surprises. The regulation’s global jurisdictional reach, EU-specific definition of “sensitive data,” steep penalties, hefty compliance costs, and applicability to customers as well as employees startled more than a few privacy and compliance teams.
Now, as more organizations pivot from achieving compliance to strengthening and refining their GDPR programs, another unexpected – and critical– facet of the regulation must be addressed: the extent to which GDPR elevates third party risk.
Conforming to GDPR requires a methodical approach, and one that should be carefully integrated into a company’s existing third party risk management (TPRM) program. The success of this integration hinges on five crucial considerations. Before weighing those keys to success, it is important to understand how GDPR – and the regulation’s Article 28 requirements in particular – places new requirements on vendors and affects third-party relationships.
The Regulation and Third Party Risk
At its core, GDPR poses numerous new requirements regarding how companies, regardless of their industry or location, manage the personal information of European “data subjects” (i.e. customers and employees). While Google, Facebook and other U.S.-based technology giants must adhere to GDPR, so too must the small Denver-based restaurant chain that attracts European tourists, the fin-tech start-up with an office in Bruges and thousands of other companies.
Complying with GDPR requires organizations to make some fundamental process changes concerning breach notifications, a European citizen’s “right to be forgotten,” the anonymization of personal data and other practices affected by components of the new regulation.
GDPR replaces the EU’s Data Protective Directive, which had been the basis for EU laws that govern data privacy. It is important to note that an EU regulation is legally binding in each Member State whereas EU directives identify results each Member State are required to achieve through national laws that each state can develop on its own. Many of the ways that GDPR differs from the previous directive ultimately require vendor risk management capabilities to be updated and enhanced. These changes include:
- The extension of legal obligations to service providers (which the regulation refers to as “data processors”);
- A broader definition, or “higher classification,” of personal data (“sensitive data”) that must be protected;
- New operational requirements for data processing;
- Severe consequences for violations, including a maximum fine amounting to the greater of €20 million or 4 percent of global revenue; and
- A new set of requirements for third party data processors, as laid out in GDPR Article 28.
GDPR also introduces new terminology. Three of the most important phrases include:
- Processing: Any operations or set of operations – automated or manual — performed on personal data, including collection, recording, organization, structure, storage, adaption, alteration, retrieval, consultation, use, disclosure and more;
- Data Controller: The entity (i.e. a company) that determines the purposes, conditions and means of the processing of personal data;
- Data Processor: An entity (i.e. a vendor) that processes personal data on behalf of the controller.
This represents a brief summary of the regulation, which comprises 11 chapters and a total of 99 articles, or subtopics. Of course, managers responsible for GDPR compliance should read through the entire regulation. Article 28 requires closer scrutiny for companies and, even more so, for vendors that qualify as “processors” and must comply with new rules presented in that section (See “Getting a Read on Article 28”).
Conforming to GDPR requires a comprehensive, multi-step process that works in conjunction with an organization’s existing vendor risk management program. (A tool to evaluate this type of program against best practices is available here: https://sharedassessments.org/vrmmm/.)
At a high level, organizations should begin with scoping to identity critical vendor relationships that are involved in GDPR compliance. Once these vendors have been identified, organizations should:
- Understand which GDPR regulations apply to the vendor;
- Assess the third party’s GDPR readiness;
- Assess the third party’s overall security posture;
- Track how the vendor retains, accesses and transfers sensitive data;
- Address contract provisions to ensure they reflect GDPR requirements;
- Define key compliance artifacts for due diligence response; and
- Conduct testing of key privacy controls.
Follow the Data and other Drivers of Success
While a methodical approach to GDPR compliance is crucial, there are several other considerations and practices that have proven helpful in adapting third party risk management programs to meet GDPR requirements. Most of the following perspectives and activities also help strengthen third party risk management programs:
- Distinguish processes from procedures: One of the most frustrating – yet, most valuable – aspects of vendor risk management involves the reconciliation of relevant business processes (i.e. how they are executed in practice) to procedures (i.e. documentation that identifies how processes should be performed). When I help an organization address GDPR or TPRM more broadly, my first question zeros in on how things work in practice: Walk me through your processes. My goal is to find out how processes are performed before I look at how that same process is documented in a formal procedure. There are often discrepancies for a number of reasons. For example, procedures frequently have not been updated to reflect process and technology changes. These gaps must be identified and eliminated. After all, procedures represent the record that enforcement teams use to hold your organizational accountable.
- Follow the data – and the 80/20 rule: Given how data-driven most organizations have become, keeping a lid on GDPR compliance costs hinges on identifying which systems, applications and data pose the greatest risks. Once compliance teams have evaluated the technical and administrative controls supporting the (roughly) 20 percent of systems that contain 80 percent of GDPR risk, they can expand and refine their scrutiny.
- Consider the total cost of non-compliance: In some cases, organizations – especially small- to mid-sized companies contending with resource limitations—may elect to assume some third-party risks rather than spending heavily to protect certain data. This assumption of risk is typically based on the calculation that the cost of the risk materializing would be less than the cost of mitigating it. When this approach is being considered, risk and compliance teams should be sure to include the potential for reputational risk in their calculations. The reputation risks that arise following a major data breach vary by company; these risks are difficult to estimate, but they can be severe. One company’s shareholders and customers may shrug off a cyberattack. Another company, even one in the same industry, may see its share price plummet and its CEO marched before a Congressional hearing (before being sacked by the board) following a similar incident.
- Define third parties broadly: GDPR Article 28 makes it clear that an organization’s data-related risk management activities extend beyond its four walls to vendors that process sensitive data. Risk and compliance teams should keep in mind that the types of vendors that process sensitive data extend beyond technology companies. Law firms and consulting firms, for example, routinely have access to organizational data.
- Vendors continuously evolve — so should conforming to GDPR: Achieving GDPR compliance is not the same as sustaining GDPR compliance. The same external disruptions and internal changes creating gaps between your own business processes and written producers are occurring within your data processors and other critical vendors. It’s perfectly fine to give the neighbor’s 12-year-old son your house key so he can feed your cat when you take a vacation. It may not be so prudent to continue to entrust that young man with access to your house after he’s arrested for burglary a few years later. The most effective GDPR programs, as well as the best TPRM programs, contain some form of ongoing monitoring of changing vendor processes and vulnerabilities.
A systematic approach to GDPR compliance and its careful integration into a formal TPRM program, combined with an awareness of effective compliance practices, can help companies sidestep the confusion and misperceptions that accompany sweeping regulatory changes. This holds true for GDPR, which despite how it has been reported in many news outlets, is actually not “new” at all. The regulation’s lengthy text has been available to read and assess for more than two years; May 25 marked the first day that the EU could begin enforcing it.