A GDPR Compliance Checklist for Third-Party Risk Management

Article 24: Responsibility of the controller

Paragraph 1

Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.

Article 24 references two Recitals for guidance:

Recital 76: Risk assessment

The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk.

Recital 77: Risk assessment guidelines

Guidance on the implementation of appropriate measures and on the demonstration of compliance by the controller or the processor, especially as regards the identification of the risk related to the processing, their assessment in terms of origin, nature, likelihood and severity, and the identification of best practices to mitigate the risk.

When using third parties as “processors,” it is the information controller (owner) that is liable for ensuring each third party has appropriate controls in place to ensure the privacy and security of personal data.

Attempting to conduct third-party assessments using manual questionnaires and spreadsheets is inconsistent and unscalable. In the event of an audit, the ability to “demonstrate that processing is performed in accordance” with the GDPR can be challenging. Manual assessments can result in missed requirements and responses that are poorly answered or incomplete. To satisfy the GDPR requirements, assessments must be objective and scoring consistent.

Article 25: Data protection by design and by default

Paragraph 1

… the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.

Recital 78

Appropriate technical and organisational measures
In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default.

Complying with the GDPR requires deep technical understanding of data processing, data governance, and controls. While most risk assessment surveys focus on general controls and policies, the GDPR requires special treatment of personal information, including pseudonymization, data minimization, and (per Recital 78) data protection “by design and by default.”

Article 28: Processor

Paragraph 1

Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

Organizations often work with dozens of third parties with access to personal information covered by the GDPR. Examples include advertising partners, data processors (including cloud applications), and cloud hosting providers.

Compliance with the GDPR requires more than simple vendor agreements. It requires understanding how data is used, how it moves, and evidence of specific controls to protect personal data.

Article 28: Processor

Paragraph 3

That contract or other legal act shall stipulate, in particular, that the processor:

(f) assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 considering the nature of processing and the information available to the processor

Articles 32 to 36 provide the requirements for a data protection impact assessment along with continuous monitoring of critical data processors (third parties). Each processor relationship “shall be governed by a contract or other legal act” that obligates the processor to protect personal information. The required risk assessment is to identify risks to personal information and ensure the processor has adequate controls in place.

Article 28: Processor

Paragraph 3

That contract or other legal act shall stipulate, in particular, that the processor:

(h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

Be sure to maintain a complete repository of all documentation collected and reviewed during the diligence process.

Article 32: Security of Processing

Paragraph 1

The controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Recital 76: Risk Assessment

The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk.

While assessments are often viewed as an onboarding exercise, GDPR and other regulatory standards require continuous compliance. Managing a single compliance review can be challenging using manual processes. Knowing when circumstances would warrant a periodic update across dozens or hundreds of third parties across the globe is even harder.

Article 35: Data protection impact assessment

Paragraph 1

Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.

Paragraph 7

The assessment shall contain at least:

1) a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;

2) an assessment of the necessity and proportionality of the processing operations in relation to the purposes;

3) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and

4) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.

Technology evolves daily and new service offerings can provide enhanced business value. The GDPR makes clear that prior to adopting new ways of processing personal data, organizations must assess the impact of those operations on the data.

Article 45: Transfers On The Basis Of An Adequacy Decision

Paragraph 1

A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection.

Paragraph 2

Such a transfer shall not require any specific authorisation. When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements:

• the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data.

Increasingly, boards of directors, investors, and customers want to ensure organizations and their partners and suppliers share common values and commitments. The GDPR captures this in Article 45, requiring that human rights and rule of law be considered when transferring personal information.