Risk exposure is indiscriminate, regardless to the size of the company. Now that GDPR is in full effect, organizations should be engaged in activities to display compliance. This includes implementing a solid vendor risk management program to identify, track and monitor your company’s risk exposure. Under GDPR your company could face fines, penalties and other possible legal ramifications.
To prepare for GDPR, organizations should have overhauled critical business operations, one being their vendor risk management program. The expressed language in GDPR regarding data controllers and processors is very clear, you are liable if one of your third party’ processors encounters a breach that leads to customer data being compromised. The illustration below provides a high-level overview of the applicable GDPR articles that may be impacted by vendor risk management.
Although, GPDR has many articles that impact data processing by both controller and processor. More specifically, Article 28, mandates controllers must use processors that have demonstrated and provided sufficient guarantees that they have implemented the appropriate technical and organizational measures that ensure data protection the of data subjects rights. This means you must perform due diligence and assess your third-party vendors to ensure they are meeting GDPR compliance requirements. Furthermore, the process must be documented.
To help you understand how your vendor risk management program can impact GDPR compliance you must first ask a few questions:
- What type of personally identifiable information are you and your vendors collecting, processing or storing?
- Who is processing personal data on your behalf?
- Where is this data stored?
- How and when is it disposed of?
- Does the data belong to EU citizens or residence?
- What personal data is being processed?
- What is the purpose for the processing?
- Who can access this information?
- Do you have policies and procedures for data collection, use and compliance?
- What protections and precautions are being taken by the both the controller and processor to protect your customers/employee’s personal data?
- What is the process for beach notifications?
Identify Key Risk Areas:
- Did you inform your EU citizens that you are sharing their data with third parties?
- Are you sure your vendors can guarantee adequate level of protection – how can you provide proof?
- Have you conducting vendor risk assessments to determine the impact of GDPR and how it applies to you and your vendors?
- Are you conducting data privacy impact assessments before you onboard new systems/vendors?
- Have you established policies and procedures to onboard/offboard vendors, monitor their compliance and assess them regularly?
- For high-risk vendors, conduct controls testing of internal data sources, onsite reviews and periodic questionnaires to ensure third party vendors are not altering or deleting data.
- Centralize your vendor management program – ZenGRC can support this process effortlessly.
Effective vendor management requires a systematic approach to identifying and managing vendor risk. It is not unreasonable to believe that sometime soon you will have to demonstrate your compliance with GDPR and vendor management. Audits will ultimately happen and your behavior in response to managing vendor risk will be assessed, questioned and tested. Building a good strong program in a tool like ZenGRC will help you navigate the way.