How Vendor Risk Management Can Impact Your GDPR Compliance

Click here to get this post in PDF

Irrespective of a company’s size, risk exposure is downright indiscriminate. With the General Data Protection Regulation (GDPR) now in full effect, companies or organizations ought to engage themselves in operations that show compliance. Such activities include the implementation of a solid vendor risk management program to detect, track and monitor the risk exposure of your company. By doing so, you will be protecting your company from facing penalties and fines among other potential legal implications that come under GDPR.

Organizations are required to upgrade their key business operations in an effort of preparing for GDPR. For instance, they should overhaul their vendor risk management program. Bear in mind that the GDPR’s expressed language as detailed in the European Union law regarding data processors and controllers is crystal clear. It stipulates that you are accountable if any of your third party’s processors experience a breach, which results in compromised customer data. The following is a high-level outline of the applicable GDPR articles, which vendor risk management may affect.

The General Data Protection Regulation boasts numerous articles that influence the processing of data by the processor and controller as shown above. For instance, Article 28 requires controllers to utilize processors that have not only displayed but also delivered enough guarantees that they have applied the necessary organizational and technical measures required to ensure the safeguarding of data subjects rights. What this means is that you have to undertake due diligence and evaluate your third-party vendors in a bid to make sure that they satisfy all the requirements of GDPR compliance. In addition, the entire process has to be documented.

Here are questions that you must ask if you want to understand how your vendor risk management program can affect GDPR compliance as follows below:

• What kind of personally recognizable information are both you and your vendors gathering, storing or processing?
• Who have you tasked to process personal data on your behalf?
• Where have you stored this data?
• When and how is it disposed of?
• Have you implemented procedures and policies for data collection, compliance and use?
• Is the data belonging to the European Union (EU) residence or citizens?
• What type of personal data is processed?
• What do you want to achieve by processing the data?
• Who is authorized to access the information?
• What precautions and policies are both the processor and controller taking in an attempt to safeguard your employees and customers’ sensitive data?
• What is the procedure for notification of breaches?

Use the following questions to pinpoint critical risk areas as follows:

• Are your EU citizens aware that you are sharing their personal data with third parties?
• Are you certain that your vendors can provide enough guarantee regarding the level of data protection or rather how can you offer proof?
• Have you carried out vendor risk evaluations to identify the effects of GDPR as well as its usefulness not only to you but also your vendors?
• Do you carry out data privacy impact evaluations before you bring onboard new vendors or systems?
• Have you created procedures and policies to take up or get rid of vendors, oversee their compliance and evaluate them on a regular basis?

In case you are dealing with high-risk vendors, you need to undertake controls assessments of various aspects such as onsite reviews, data sources, and periodic questionnaires. Doing so will help you make sure that third-party vendors are neither deleting nor altering the data. What’s more, ensure that your vendor management program is centralized.  For instance, you can find various tools on the market such as ZenGRC that can handle such a process with ease.

For effective vendor management, a systematic technique is needed in a bid to identify and manage vendor risk. Even so, believing that sometime soon, you would have to show your compliance with vendor management and GDPR is not in any way unreasonable. Keep in mind that audits will eventually be done. In turn, your behavior when it comes to vendor risk management will be evaluated, tested and even questioned.

GDPR or the General Data Protection Regulation entails a regulation contained in EU law regarding various matters including the European Economic Area (EEA), the privacy of all people residing in the European Union and most importantly data protection. The law seeks to address the export of personal data, particularly outside the European Economic Areas and the European Union. In addition, GDPR aims to give residents and citizens control over their personal data as well as simplify the regulatory space for international business. It does this through uniting the regulation within the European Union.

You may also like: The Most Important Part of GDPR Compliance

About the Author

Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com.