The General Data Protection Regulation (GDPR) is a privacy law that governs the use, movement, and protection of data collected on European Union (EU) citizens. The GDPR covers any organization that collects, stores, processes, or transfers personal data on individuals in Europe, regardless of the organization’s location. The GDPR imposes penalties of up to €20 million or 4% of global revenue (whichever is higher), plus compensatory damages to individuals.
Because third parties are often responsible for managing personal data on behalf of their customers, organizations must take special care in ensuring those vendors and partners have data protection controls and governance in place. This involves conducting data privacy controls assessments; analyzing the results for potential risks; and requiring third parties remediate those risks to avoid regulatory, financial, and reputational exposures.
In fact, organizations are required by the GDPR to conduct risk assessments to identify risks both inside the organization and with any third party that will have access to personal data. Recital 76 – Risk Assessment states that, “Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk.”
Data privacy risk assessments for all third parties that have access to personal data
Continuous monitoring of critical third-party cyber, business, reputational and financial risks
Documented evidence to demonstrate compliance
Audit trail capabilities
The GDPR Third-Party Compliance Checklist
Read this report to understand third-party considerations in the General Data Protection Regulation (GDPR) and discover how to include GDPR risk assessments in your broader TPRM initiatives.
Meeting GDPR TPRM Requirements
Here's how Prevalent can help you address GDPR third-party risk management requirements:
GDPR Requirements | How We Help |
---|---|
Article 24: Responsibility of the controller Paragraph 1 Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary. Article 24 references two Recitals for guidance: Recital 76: Risk assessment The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk. Recital 77: Risk assessment guidelines Guidance on the implementation of appropriate measures and on the demonstration of compliance by the controller or the processor, especially as regards the identification of the risk related to the processing, their assessment in terms of origin, nature, likelihood and severity, and the identification of best practices to mitigate the risk. |
When using third parties as “processors,” it is the information controller (owner) that is liable for ensuring each third party has appropriate controls in place to ensure the privacy and security of personal data. Prevalent’s Third-Party Risk Management Platform automates third-party risk assessments. It provides questionnaires designed specifically for the GDPR and scores risks according to “likelihood and severity,” while facilitating remediation in alignment with GDPR guidelines. Prevalent provides a library of over 750 standardized assessment templates – including the GDPR and other privacy-related regulatory standards – along with customization capabilities and built-in workflows. In addition, Prevalent’s Controls Validation Service reviews third-party assessment responses and documentation against established testing protocols to validate that indicated controls are in place. To accelerate assessments, Prevalent’s Vendor Intelligence Networks provide access to thousands of completed and verified assessments, which are continuously updated and provide supporting evidence. |
Article 25: Data protection by design and by default Paragraph 1 … the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. Recital 78 Appropriate technical and organisational measures |
Prevalent provides technical expertise in the design of its GDPR surveys and controls, ensuring that required implementation details are not missed. It helps organizations distinguish properly designed systems from “bolt-on” security and privacy features to ensure full compliance. When third parties use 4th or Nth parties to help process data, Prevalent provides visibility with detailed relationship mapping and audit trails of flows of information throughout a supplier ecosystem. |
Article 28: Processor Paragraph 1 Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject. |
Prevalent offers security, privacy, and risk management professionals an automated platform to manage the third-party risk assessment process and determine compliance with IT security, regulatory, and data privacy requirements, including GDPR. It provides bi-directional remediation workflows, live reporting, and an easy-to-use dashboard for efficiency. With clear reporting and remediation guidance, the platform ensures that risks are identified and escalated to the proper channels. |
Article 28: Processor Paragraph 3 That contract or other legal act shall stipulate, in particular, that the processor: (f) assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 considering the nature of processing and the information available to the processor |
Prevalent delivers the industry’s only purpose-built, unified platform for third-party risk management. The platform combines automated third-party assessments and continuous threat monitoring to simplify compliance, reduce security risks, and improve efficiency. The platform provides security and compliance professionals with a 360-degree view of data processor risks, via clear and concise reporting tied to specific regulations and control frameworks, including GDPR, for improved visibility and decision making. The Prevalent Platform enables contract reviews, helping to reveal potential contract violations and inform renewal negotiations via dedicated contract assessments. |
Article 28: Processor Paragraph 3 That contract or other legal act shall stipulate, in particular, that the processor: (h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller. |
The Prevalent Third-Party Risk Management Platform includes effective reporting to satisfy audit and compliance requirements, as well as to present findings to the board and senior management. The entire risk profile can be viewed in a centralized live reporting console, and reports can be downloaded and exported to determine compliance status with GDPR provisions. Deep reporting capabilities include filters and click-through interactive charts. The solution includes a complete repository of all documentation collected and reviewed during the diligence process. Prevalent Vendor Threat Monitor (VTM) alerts organizations to adverse changes in third parties’ businesses and triggers targeted assessments to address interim immediate risks. Early alerts enable more time to respond to incidents, and built-in remediation guidance helps organizations protect personal data and avoid regulatory actions and reputational damage. |
Article 32: Security of Processing Paragraph 1 The controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including: (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. Recital 76: Risk Assessment The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk. |
Prevalent offers security, privacy, and risk management professionals an automated platform to manage the third-party risk assessment process and determine ongoing compliance with IT security, regulatory, and data privacy requirements, including the GDPR. It employs both standard and custom questionnaires to help collect evidence and provides bi-directional remediation workflows, live reporting, and an easy-to-use dashboard for efficiency. With clear reporting and remediation guidance, the platform ensures that risks are identified and escalated to the proper channels. |
Article 35: Data protection impact assessment Paragraph 1 Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks. Paragraph 7 The assessment shall contain at least: 1) a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller; 2) an assessment of the necessity and proportionality of the processing operations in relation to the purposes; 3) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and 4) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned. |
With Prevalent, you can conduct Privacy Impact Assessments to uncover at-risk business data and personally identifiable information (PII). Analyze the origin, nature and severity of risk and get remediation guidance. For organizations needing more resources, Prevalent’s Vendor Risk Assessment Services experts can handle everything from risk collection and analysis, to reporting and remediation management. |
Article 45: Transfers On The Basis Of An Adequacy Decision Paragraph 1 A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Paragraph 2 Such a transfer shall not require any specific authorisation. When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements: • the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data. |
Prevalent supports Environment, Social, and Governance (ESG) compliance with capabilities to assess third parties against a number of ESG topics and correlate the findings with continuous external monitoring into vendor practices. This includes stewardship of the environment, diversity and inclusion, human rights (e.g., anti-slavery), labor standards, finance and tax strategies, and overall operational transparency. In addition, Prevalent includes Breach Event Notification Monitoring, providing access to a database containing 10+ years of data breach history for thousands of companies around the world. This Includes types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications to help determine the posture of companies you are considering transferring data to. |
Align Your TPRM Program with CCPA, GDPR, HIPAA and More
Download this guide to review specific requirements from 6 data privacy authorities, identify TPRM capabilities that map to each requirement, and uncover best practices for ensuring compliance.
Mitigate privacy risks and comply with GDPR requirements by assessing third-party data protection controls with these...
Learn how a third-party risk management (TPRM) policy can protect your organization from vendor-related risks.
Align your TPRM program with GDPR, CCPA, HIPAA and other data privacy regulations.