The European General Data Protection Regulation (GDPR) will go into effect in May 2018 and while global organizations are required to demonstrate compliance of their security and privacy practices, it goes beyond just the internal organization: the GDPR also extends to the third-party vendors of GDPR-applicable companies.
The problem doesn’t end there; organizations can have hundreds to thousands of relevant third parties in scope for GDPR.
While you are working diligently to help ensure your own organization is compliant with GDPR, your organization is explicitly responsible for the readiness and conduct of the third parties that store or process your EU citizen’s personal information.
We see that there are three priorities for third-party management: understanding the different roles defined in GDPR; key contract elements to consider for GDPR processors; and assessing the applicable processors for compliance.
Who’s in Charge?
The roles and responsibilities have changed under GDPR from the EU Data Protection Act. GDPR defines three important parties: the controller, the processor, and the data protection officer (DPO).
GDPR defines a controller as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.” A “processor” is defined as a “natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” In other words, a processor is a third party that carries out directives defined by the controller.
The controller is responsible for all actions taken by the processor concerning the proper or improper handling of personal information. GDPR takes this a step further: if a processor steps outside the bounds of its obligations by a controller, then the processor is treated as a controller and is subject to all provisions for controllers.
The GDPR also states that processors are not permitted to subcontract their services without approval from the controller. Terms of agreements between controllers and processors should also cover this, and we’ll discuss this more in the next section.
The GDPR requires the controller and the processor to designate a DPO to oversee GDPR compliance.
So, who’s in charge? The DPO must continuously monitor GDPR compliance. Controllers establish services and tell processors what they are authorized to do with their information. Processors have to be compliant or answer to the controllers and the GDPR authority.
Contract Agreements
Contracts are used as the communication vehicle between the controller and the processor. They are a critical step to make sure the obligations are clear between the controller and processor. Under GDPR, controllers need to understand that they are largely responsible for anything that processors do with the EU Personal Information that is sent to them. If processors stray from defined parameters, controllers will share in the liability.
While we aren’t lawyers, pragmatically it makes sense to us that agreements between controllers and processors should at minimum include the following:
- Agreement that GDPR is in scope for some or all activities performed by the processor, and that the processor agrees to be GDPR compliant.
- Agreement that processor will not outsource in scope services without written approval.
- Agreement that processor will establish and maintain an effective, risk-based security management program and allow for verification of the security controls. Some controllers may extend to requiring external attestations, risk assessments, penetration tests and more—as warranted by the level of risk.
These provisions are in addition to the security standard clauses that an organization would impose on its service providers including topics on incident notification, right to audit, risk management, cyber insurance and control effectiveness.
Assessing Your Relevant Third Parties
Because of the extensive use of outsourcing and SAAS, IAAS and PAAS services, one of the most onerous tasks in GDPR preparation is the assessment of relevant third parties. Remember that controllers are responsible for the actions taken by their processors, so it’s important to identify all relevant processors, understand what data is stored and processed, how well each processor protects EUPI data, and their progress at becoming GDPR compliant.
This is a tall order, as many organizations have not identified all their third parties and don’t know where all their EUPI data resides, internally or with third parties. GDPR has a lot of organizations scrambling on these two items alone.
Organizations with more than a few dozen service providers in scope for GDPR have their hands full for the following reasons:
- Organizations will need to figure out what questions to ask their processors, send questionnaires to them and follow up with them until they respond.
- Organizations then need to carefully review the questionnaire results. In many cases, controllers are going request processors provide evidence that substantiates their answers and then wait for those artifacts for further examination.
Next, there is remediation. For those processors who are honest with their responses (and we presume most, but not all), there are likely to be gaps in their security program that controllers feel are unacceptable. Remediation efforts to become compliant with GDPR can take time that suddenly makes May 2018 feel much closer than it did when considering the prospects of all of this due diligence.
Changing Your Approach
Using excel spreadsheets to understand and track third parties progress towards compliance is acceptable although highly inefficient and doesn’t scale.
An effective solution to solving your GDPR challenge is to leverage automation to provide the “big picture” risk information that helps management understand the compliance risk “hot spots.” GDPR is the call to arms for many organizations to upgrade to modern third-party risk management (TPRM) platforms that provides the ability cost effectively scale to assess the third-parties for GDPR compliance, track remediation and provide executive level reporting.
Given the effort required to understand what third-parties are considered “processors” under GDPR rules and then track their progress towards compliance is a daunting task. Therefore, getting started now is essential to demonstrate progress towards compliance before the May 2018 date arrives.