By Linnea Solem, Chair, Shared Assessments Privacy Committee
On January 28th, organizations worldwide celebrate Data Privacy Day. The goal is to create awareness about the importance of respecting privacy, safeguarding data and enabling trust. Each year organizations take this opportunity to spotlight key risk topics for privacy in the coming year. In reviewing 2017 and the potential challenges for data protection in 2018, a common thread in the media landscape is the risks that third parties bring to the table for organizations who need to protect customer data. The web site for Data Privacy Day, www.staysafeonline.org provides a suite of infographics and tools as to why privacy is important for consumers, businesses, organizations, schools, and non-profits. 75 percent of Americans feel it is “extremely” or “very” important that companies have “easy-to-understand, accessible information about what personal data is collected about them, how it is used and with whom it is shared.
Personally Identifiable Information (PII) Remains Top Information Risk
The International Association of Privacy Professionals (IAPP) conducted its second annual study of the disclosure statements of 150 publicly traded companies that shows 100% of these companies identified cyber attacks in their most recent 10-K reports as current and ongoing risks, up from 86% from the prior year. The loss of customer or employee PII remains at the top of the disclosed information-related risks at 87% with reputation harm the greatest potential consequence at 95%. After the risk of a cyber-attack, the #2 risk concern at 69% for surveyed companies was information loss or misuse by business partners or other third parties. That was a jump of 22% over the first report, which emphasizes the criticality of third party oversight and third party risk management. While most organizations indicated that changes in privacy laws and legal standards is a risk, only 10% specifically mentioned the upcoming enforcement of the EU General Data Protection Regulation (GDPR).
Third Party Risk Management a Key Priority in 2018
Changes in data protection regulations and legal standards are top of mind for many organizations in 2018 with the upcoming enforcement milestones of everything from New York State’s Cyber Security regulation to GDPR. In a recent study, the True Cost of Compliance with Data Protection Regulations, by the Ponemon Institute and Globalscape, 90% of respondents viewed GDPR compliance as the most difficult to achieve, surpassing even PCI DSS standards. GDPR. The impact of GDPR is not simply that the regulation extends liability directly to the service providers, but has an enforcement mechanism of fines up to $23.6 million or 4% of the total worldwide annual turnover of the company, whatever is higher. It is not surprising then that 92% of US multinationals surveyed by PwC named GDPR as a top priority, and 77% plan to spend $1 million or more on compliance.
GDPR compliance readiness is challenging to measure since many organizations may not be fully aware that they have triggered heightened compliance obligations. GDPR compliance can be triggered by any organization that stores or processes personal information about European Union citizens, regardless of their location or geographic boundaries. Compliance requirements are specific for data controllers and data processors. Access to personal data is considered a transfer of data from a GDPR viewpoint, triggering the need for strong understandings of data flows, data inventories, and cross border interactions. The concept of knowing where your data is, becomes an even more crucial part of compliance when looking at the third-party ecosystem. Being ready to conform to GDPR will require organizations to implement or expand third party vendor management programs to include third party assurance approaches that require additional due diligence to meet these new requirements.
To help meet this need, the Shared Assessments Program’s Privacy Committee – a leading group of
third party risk management privacy professionals across a variety of industries, has designed a
GDPR Data Processor Privacy Tool Kit to provide preliminary guidance to effectively evaluate and
manage third party risk for “Data Processors” under the GDPR. This GDPR Data Processor Privacy Tool Kit contains tools, checklists and templates that highlight a broad range of privacy-relevant requirements for third party relationships, and identify potential artifacts for review as evidence of conformance with GDPR requirements. The GDPR Data Processor Privacy Tool Kit is designed as a flexible set of tools and templates that any organization can incorporate into their third party risk management structures and processes.
So on this Data Privacy Day, access tools to Be Safe Online, and start to plan for GDPR readiness!
#PrivacyAware and #SAGDPRToolkit