In 2018, the business world almost melt with the terrifying news of the enforcement of the General Data Protection Regulation (GDPR). Now, it’s a widely implemented and respected data privacy regulation for organizations within and outside of the European Union. With everything we’ve come to know, it’s worth analyzing the impact of GDPR on the use of trusted service providers in support of business operations. Here’s everything you need to know about GDPR and third party vendors.
Before we can discuss GDPR and third party vendors, it’s critical we understand the definitions of the Controller, Processor, and Personal Data (as found in Chapter 1 and Article 4) and the territorial scope (as found in Chapter 1 and Article 3) outlined by GDPR:
As for the “Territorial Scope”:
The first major obstacle is identifying whether, or not, GDPR will apply to your organization. If you’ve made it this far in to this article then let’s assume you’ve validated GDPR’s applicability to your company. If your company uses a trusted third party vendor to process or store your company’s data then your third parties could be considered as “Processors” according to GDPR’s definitions (above), thus, also making your third parties susceptible to GDPR’s oversight.
Next, the specific data elements protected by GDPR need to be identified and their location(s) properly documented. Proper data mapping helps to identify which data elements need to be isolated from others in instances where various aspects of GDPR (such as a Data Subject’s rights to be forgotten or rights to object to processing) are necessary, to ensure timely compliance to these requirements is enforced. Once appropriate data elements are identified (and properly mapped) the actual maintenance and management of the database becomes significantly less complex and easier to work with.
Other impacts to the compliance of GDPR requirements still apply, such as the appointment of an appropriate Data Protection Officer (DPO) who will be required to report to the appropriate Supervisory Authority designated by each Member State of the EU. Another important piece of information to be aware of is the ability for a company to leverage a trusted third party as the appointed DPO.
When all things are in order, one of the most important pieces of this vast puzzle remains the organization, identification, and ease-of-management of databases where GDPR requirements are applicable. There’s multiple technical tools available to assist in these efforts, if your company maintains their own on-site and internally hosted database. There are also multiple tools available to help companies without these capabilities offering various type of cloud-hosted solutions (SaaS) to properly organize, manage, and report GDPR compliance.
If your company is subject to the oversight required by GDPR, it may be a good idea to let your trusted third parties know if they’re also potentially going to become subject to these requirements. This will help ensure their own compliance is in order and that they are accepting any additional responsibilities.
For new third party vendors onboarded in your organization, you could simply add GDPR-related requirements to your risk assessment and monitoring workflow.
Learn More: How to Customize Requirements in Your Vendor Risk Assessments
In consideration of protecting your existing relationships, notice to your current third parties may be necessary if you change your requirements associated with providing goods and/or services to your company. Please seek your company’s appropriate legal guidance and counsel for formal advice and direction.
Even if GDPR compliance may not be a priority for smaller data collectors or companies based outside of the EU, it’s still worthwhile to consider for the following reasons:
Deciding if you need a third-party risk management tool and choosing the right one can be challenging. This buyer’s guide will put you on a path to auditable risk management and accelerate your journey to TPRM maturity.
You will learn how to boost efficiency, transparency, and control over your risk management indicators.
|cookielawinfo-checkbox-analytics||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".|
|cookielawinfo-checkbox-functional||11 months||The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".|
|cookielawinfo-checkbox-necessary||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".|
|cookielawinfo-checkbox-others||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.|
|cookielawinfo-checkbox-performance||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".|