7 Practical Steps to Tackle GDPR Compliance Via Vendor Management

The EU (European Union) General Data Protection Regulation (GDPR) is considered timely in the sense that all e-commerce is officially in the sights of cyber criminals. Not a day goes by without a breaking story of yet another data breach to consumers’ confidential data, however, while we may be in the habit of quoting consumer data privacy concerns, the scope of citizen data is expanded. This means items such as payroll or healthcare data falls under the GDPR jurisdiction.

With any new regulation, comes a period of research and understanding of the new requirements, but after a while paralysis by analysis can set in. We’ll move past the regulation itself, all 11 chapters and 99 articles, and offer some practical steps to design your GDPR compliance framework. Remember, leveraging other lines of business to tackle this head-on will pay dividends. This will take a concerted effort between compliance, legal, IT and third party risk management. Considering the heavy use of vendors in financial services, the GDPR requirement then adds an extra layer of responsibility to the third party risk management team. 

Areas to Review

Areas which need to be reviewed include:

• Vendor inventory and defining location and business footprint
• The individual’s consent protocols
• Contract language
• Defining vendors as data processors
• Determining the scope of personal data and date processor access
• Data breach notification requirements
• Updates to policy and procedures
  
  

The 7 Steps

Where applicable, I have included the relevant chapter and article number to help guide you.

1. Vendor Inventory – Chapter 1, Articles 1-4
   • Considering how many vendors appear on a vendor report, it’s worthwhile to review each vendor service and pay special attention to cloud storage providers, data centers, marketing firms, payroll and healthcare providers who may be accessing EU resident private data. Remember, GDPR has a global reach and is not strictly limited to if you have a bricks and mortar store in the EU. If the data is being exported outside of the EU States, then GDPR is still applicable.
     
     

2. Data Subject (Individuals) Consent Protocols – Chapter 2, Articles 5-11
   • Individuals must be provided with clear and transparent communication regarding their consent to share their non-public information. This can be achieved either electronically, by email, or snail mail and there should be disclosure that the information is being shared with third parties, aka your vendors. As the primary source of the data collection, you are considered the data controller. Your responsibilities and liabilities under GDPR are equally tied to the strength of your vendor GDPR policy framework.
     
     

3. Contract Language
   • Please consult an attorney on the technical verbiage of updating and reviewing the applicable vendor contract language. However, if your vendor is storing data on your behalf then you must ensure that they understand the GDPR requirement and the liabilities, potential monetary fines and other recourse which they would be responsible for. Language should also specify the right to audit on GDPR compliance, breach notification requirements and protocols/point of contacts.
     
     

4. Defining Vendors as Data Processors – Chapter 4, Articles 24-43
   • Since the vendor is storing, accessing or processing data subject to NPPI, it’s important that information security, privacy policies and other controls are reviewed regularly. Information access audit logs should also be reviewed to ensure who in the vendor organization is accessing the subject data and that control data is provided by request.  This can be an additional process to current ongoing monitoring activities since purely performing this on an annual basis does little to address and mitigate unauthorized access to the data.
     
     

5. Defining the Scope of Subject Data – Chapter 2, Articles 5-11
   • Unlike the US, the data considered private by the EU is expansive and goes beyond the typical name, address, SSN and NPPI access. Data which can identify a subject also falls under this category and may include the IP address, email, medical information and even biometric data points. Due to this expansion on what qualifies as private data, I recommend that you detail each data point and confirm with the data processor exactly which data topics are being stored.
     
     

6. Data Breach Notification Requirements - Chapter 4, Articles 33-34
   • Under GDPR, there is a 72-hour window in which data breaches must be reported to authorities. Given that there is compelling evidence of mistrust between companies and third party vendors who may be reluctant to inform their clients of a data breach, under GDPR you simply must. To this end, it’s vital that data breach notifications be included in your contractual language to stress the GDPR requirement. Besides GDPR, it also makes good business sense and is a best practice.
     
     

7. Update Policy and Procedures - Chapter 4, Article 35 and Articles 37-39
   • GDPR is effective May 25, 2018. If you determine you fall under this regulation based on your global business model, then you must update your policy and program. As you can see from the above outline, this impacts legal, compliance and third party risk. The detrimental impact can be viewed as regulatory pressure, monetary fines and reputational loss of customer trust. The update to your internal policy and program should also extend to that of your third party vendors. Depending on how large either organization is, the amount of private data it’s collecting will determine if a data privacy officer is required to formally manage information and data security. This makes a strong case to intimately understand your vendors’ adherence to compliance around this regulation.

As you can tell, GDPR isn’t only impacting European citizens and does not exclude third party risk management. It’s important to review the regulation thoroughly to best understand how the release will affect you and your organization as the data collector. I encourage you to make changes where needed due to this recent update. It could potentially save your organization from a large fine equivalent to 20 million euros or 4% of global revenue, whichever is larger.

To improve your information security, reference our infographic on the CIA Triad. Download now.