Third-Party Risk Management and GDPR Compliance

BLOG 4 MINS | November 18, 2019
Third-Party Risk Management and GDPR Compliance

In this blog post, we’ll discuss what the GDPR is, some definitions, and what challenges organizations are facing, and key concepts under the GDPR that impact your third-party risk management program.

Are you GDPR-ready? Download the third-party risk GDPR checklist today!

What is the GDPR?

GDPR stands for the General Data Protection Regulation. The GDPR came about due to a lack of uniformity in data protection rules throughout the European Union (EU), as well as the inability of the Data Protection Directive to keep up with constantly evolving technology. Thus, the EU enacted the GDPR to impose a single set of rules across the EU.

The GDPR ensures the protection of individuals’ rights, demands that organizations consider data privacy when new technologies arise, and requires that organizations maintain accountability to demonstrate compliance with the GDPR.

What Third-Party Risk Management Challenges are Organizations Facing with the GDPR?

While the GDPR focuses on data protection, things can get complicated when it comes to managing risks related to processors. Because of the GDPR’s accountability requirements, your organization’s processors need to step up and demonstrate compliance with the GDPR. And if they don’t, your organization may bear the consequences, both from a reputational and penalty perspective.

GDPR Third-Party Risk Management Definitions

To fully understand how the GDPR impacts your third-party risk management program, you need to know how the GDPR defines processors, controllers, and subprocessors.

Controllers are organizations that determine the purposes and means of personal data processing. In other words, they “control” the processing. Controllers direct processors on how to use or handle data and are ultimately responsible for vetting them.

Processors are any natural or legal person, public authority, agency, or other body which processes personal data on your organization’s behalf—vendors, contractors, suppliers, and other outsourced operations would fall under this category.

Subprocessors are the entities that process personal data on the processor’s behalf. For purposes of third-party risk management programs, a processor is the third-party, while the subprocessor is the fourth party.

Now what does this mean for your organization? The GDPR lays out requirements for recordkeeping that organizations must follow when using processors. As a result, keeping records to demonstrate accountability and compliance with the GDPR is critical.

At a minimum, organizations must maintain a processor inventory and track cross-border data transfers as well as confirm that processors have adequate safeguards in place to protect personal data.

Are you managing processors in accordance with the GDPR’s requirements? Download our third-party risk GDPR checklist today to find out!

The GDPR’s Key Third-Party Risk Management Requirements

Your organization should focus on key third-party risk management requirements as set forth in the GDPR, including Articles 28, 30, 31, 32, 33, and others. Some of these requirements include:

  • Requiring processors to help you fulfill data subject rights requests, including establishing procedures to communicate to processors any data subject request to rectify or erase personal data
  • Performing a Data Protection Impact Assessment (DPIA) when engaging in a processing activity with a processor that will likely result in a high risk to data subjects’ rights
  • Obtaining sufficient guarantees from processors that they have appropriate technical and organizational measures to safeguard personal information
  • Ensuring that processors obtain your written authorization to use subprocessers (i.e., fourth parties) and that they bind subprocessors to the same data protection obligations by contract
  • Maintaining records of all categories of processing activities carried out by processors
  • Tracking and ensuring lawful cross-border data transfers
  • Ensuring that processors notify you immediately upon becoming aware of a data breach

Subject to the CCPA as well as the GDPR? Check out our third-party risk management for CCPA blog post to learn more about the new California privacy law.

OneTrust Vendorpedia – Third-Party Risk Management Software

Making sure that your organization can demonstrate compliance with the GDPR is a board-level concern. Challenges such as these deserve a software solution. That’s why OneTrust Vendorpedia is here to help with risk assessment automation, mitigation workflows, third-party risk and performance tracking, as well as automated recordkeeping for compliance.

Want to learn more about how OneTrust Vendorpedia enables organizations to manage third-party risk and demonstrate GDPR compliance? Request a demo today!