GDPR Turns One, and Four “Gotchas” Are Catching Third-Party Risk Managers by Surprise

It’s been just over a year since the EU General Data Protection Regulation (GDPR) went into effect. Since then, many organizations have sought out silver-bullet tools to determine if their third-party ecosystems are sufficiently protecting their data – and thereby their brand and profit. However, many compliance and risk leaders have encountered “gotchas” that reveal how basic third-party risk management tools just don’t cut it when it comes to GDPR.

What’s the problem with silver bullets?

Every organization needs to identify which controls are most critical to protecting data. However, once data is removed from your environment, you depend on the controls implemented by those handling or processing your data. Unfortunately, many organizations don’t have the in-house expertise or funding to build an effective Third-Party Risk Management (TPRM) and do the bare minimum to measure vendor adherence to GDPR.

In their quest to avoid auditor scrutiny and dodge GDPR penalties, many privacy departments simply require third-parties to sign GDPR attestation letters, placing the ownness on their suppliers to decipher and adhere to the mandate. Other organizations look to vendor risk ranking and scoring tools to “check-off” regulatory requirements. However, most scoring and rating tools are short-sighted, fail to provide meaningful data, and can spur decisions based on what is available vs. what is actionable.

If your TPRM program stops with attestation letters or “outside-in” scoring and rating tools, you may be a victim of the Four GDPR Gotchas …

But first, a refresher on the key GDPR components

Before we get to the Gotchas, let’s set some context with a reminder of the key GDPR components:

• Rights of Individuals– People’s rights to be informed and forgotten.
• Right to be Informed– People’s rights to understand who is collecting personal data and the purposeful use.
• Right to be Forgotten– People’s right to request their personal data be erased.
• Data Protection Officer (DPO)– Business DPO appointment to monitor compliance for organizations acting as a processor or a controller.
• Obligations on data processors– May 2018 readiness plan to address processor responsibility of technical and organizational measures to secure personal data during processing activities.
• Data Protection Impact Assessment and data breach response– Controller’s requirement to report a personal data breach within 72 hours.

The Four GDPR Gotchas

With that, here are the “Four Gotchas” many organizations didn’t expect when planning for GDPR readiness – and how to avoid them:

1: Vendor management is only one component of GDPR

To ensure your Third-Party Risk Program is addressing all of GDPR, confirm that your due diligence and action plans are in concert with the entire mandate. Managing vendors is just scratching the surface. Use Prevalent’s GDPR Questionnaire, which is based on Shared Assessments Standards, to determine third-party readiness across all GDPR components. Having third parties sign attestation letters is a quick fix, however it’s your responsibility to monitor third-party compliance and to dig deeper when their controls are deemed unfavorable (or non-existent).

2: Smaller vendors often slip through the cracks in GDPR efforts

Most organizations have identified big, obvious vendors, such as hosting providers, but GDPR can impact all vendor classifications. Use Prevalent’s Third-Party Risk Management Platform to better classify and apply proper due diligence across all levels of vendors. Hosting provider due diligence is a good start, but it won’t support governing your full vendor universe. Prevalent enables you to right-size content gathering for GDPR and provides risk registers to inform your DPO what is needed for governing third-party GDPR Compliance.

3: GDPR fines and penalties are real for everyone

While you’ve probably heard about Facebook and Uber receiving hefty GDPR fines, no one industry is immune. Healthcare, financial and retail organizations alike have also received fines. Prevalent’s solution determines the GDPR readiness of not only your organization, but also that of your affiliates, subsidiaries, and Nth parties. The Prevalent Risk Register assesses GDPR readiness across all stakeholder levels to reduce your risk of GDPR fines.

4: Data processors are also being fined

From CCTV installers to IT services handling patient information, GDPR raises regulatory obligations for all third parties in your ecosystem. With Prevalent, you can easily categorize all entities and generate spider diagrams that reveal how far your data flows and depict how widely you must apply GDPR controls.

A more complete, accurate picture of third-party risk and compliance

It’s up to you to deepen and expand your third-party risk assessments to address gaps that could lead to a damaging fine or regulatory finding. I just shared a few examples of how Prevalent’s unified Third-Party Risk Management Platform can help you avoid some of the GDPR Gotchas. It boils down to this:

• ASK third parties about their privacy controls (shocking, I know) with inside-out assessments
• VALIDATE assessments with integrated, outside-in threat monitoring for a more holistic and accurate view of GDPR risk and compliance
• SCALE with evidence sharing networks of completed vendor assessments to get on the fast-track to understanding your third-party risk profile

See how Prevalent can help you simplify the process of assessing, validating and remediating third-party risk, while meeting GDPR and other compliance mandates: request a demo today.