GDPR: Understanding the Impact on Third Party Risk - Part 1

A simple Google search on GDPR requirements and GDPR checklists will result in lots of information and free resources. The sheer amount of information available is dizzying to say the least and with any new regulation, lots of myths begin to emerge. The tasks of verifying the accuracy of the advice given is another concern. To understand and interpret the regulation takes time and good old-fashioned research. Hopefully my background in regulatory compliance and risk management will help you figure out the woods from the trees. Let’s go through important GDPR points now.

GDPR - A High Level Summary 

The General Data Protection Regulation is a European law which will act as the primary law regulating how companies protect European Union (EU) citizens’ personal data. The law was passed by the European Parliament in April 2016 and becomes effective May 25, 2018.

The Regulatory Impact

Regulatory fines will vary based on a tiered approach on the severity of the violation. Firms may be fined up to 4% of global revenue or 20 million euros. The European law will have a global reach and is increasingly becoming a regular topic with U.S. based firms who either operate in Europe or export European data outside of the EU.

GDPR Chapters and Articles

The law itself is broken down into 11 chapters. These contain the following headers so the regulation itself becomes manageable or at least the reader can navigate through the requirements. Within each chapter are several articles. There are 99 articles in total which go into the granular level detail a compliance professional would expect to flesh out the regulation.

• Chapter 1: General Provisions
• Chapter 2: Principles
• Chapter 3: Rights of the Data Subject
• Chapter 4: Controller and Processor
• Chapter 5: Transfers of Personal Data to Third Countries or International Organizations
• Chapter 6: Independent Supervisory Authorities
• Chapter 7: Cooperation and Consistency
• Chapter 8: Remedies, Liability and Penalties
• Chapter 9: Provisions Relating to Specific Processing Situations
• Chapter 10: Delegated Acts and Implementing Acts
• Chapter 11: Final Provisions
  
  

How GDPR Relates to Third Party Risk

With GDPR, you as the data controller need to understand your data processor’s, aka your third party’s, data protection and information security protocols. The institution is responsible for any mishaps that happen at a third party who houses your consumer’s sensitive information such as Non-Public Personal Information (NPPI). Your data security is at risk here if you are not thoroughly doing your due diligence.

Chapter Highlights

Chapter 1 - General Provisions: The regulation outlines the requirement of data privacy protection to natural EU citizens with the processing of personal data and aims to manage the movement and storage of this data within or outside of the EU – if any of your clients are EU citizens, this regulation affects you.

• The scope of the regulation does not include the personal information of those who are deceased.
• Data privacy rights of EU citizens is not protected as it pertains to criminal offenses or national security concerns which pose a threat to the general public as this information needs to be accessible.
• Personal data definitions are expansive compared to typical US definitions of NPPI. Under GDPR, personal data means any information which may identify the individual such as name, identification number, location data, online identifier or factors which indicate physical, physiological, genetic, mental, economic, cultural or other social identity of the individual.
• Three stand out terms are identified as Controller, Processor and Third Party. Each is responsible for the gathering, storage and access in terms of compliance and should be cause for concern for any company involved in the data collection of EU individuals.
  
  Note: It’s not an assumption that third party risk is involved, it’s fact – it’s specifically noted in the material.

Chapter 2 - Principles: Data collection should be processed lawfully and transparently with the individual being able to freely give consent for the purpose of which the collection was intended. Data controllers, aka you as the institution, are encouraged to only collect pertinent information with a focus on data minimization.

• Data must be kept up to date and only stored for a relevant timeframe subject to the actual business need in conjunction with EU or member state laws. Understanding what your vendor does with the data collected and exactly what happens to the data after a vendor relationship is terminated is important. This impacts your third party risk as you want to verify the data is being properly removed from their systems.
• The controller must be able to demonstrate that the individual has consented to processing their personal data. Failure to provide evidence of this requirement would be considered noncompliance under Article 7: Conditions of Consent.
• Data collection on individuals below the age of 13 is prohibited. Controllers must verify that parental responsibility and consent is provided for children below the age of 16.

Chapter 3 - Rights of the Data Subject (Individual): The controller must communicate with the individual relating to data processing in a clear concise and transparent manner. This must be in clear and plain language and should be provided to the individual in writing either in mail or electronic means. Should the individual speak directly with the controller, the information may be provided verbally provided that the individual has been able to prove their identity. As an institution, you need to make sure you’re aware of your vendor’s customer procedures for things like this should they come into contact with your clients in this way.

• The controller must cooperate with the individual’s request to exercise their rights under articles 15–22 unless the controller demonstrates that they cannot identify the individual with the information which has been provided. Articles 15 – 22 address the individual rights to exercise data processing restrictions, data portability and the right to be forgotten. It’s again important to understand your vendor’s procedures to guarantee they will meet this standard.
• The rights of the individual are voided when it pertains to public interest/safety or of a criminal investigation as discussed in Chapter 1.

While the compliance clock is ticking down quickly with the “go live” date of May 25, 2018 for GDPR compliance, check into our blog for Part 2 – we’ll will cover additional chapters of this new regulation aimed at protecting the individual’s personal information. 

In the meantime, make sure your policy and program documents are up to date to include  GDPR. Download our Vendor Management Umbrella infographic series.