The General Data Protection Regulation, or GDPR as it is widely referred as, is taking the compliance world by storm. And not in a good way. The law itself is voluminous with 11 Chapters and 99 Articles.
This regulation is not for the faint of heart and requires many hours of study in order to grasp the fundamentals of the compliance regulation. Actually, the team here at Venminder have been studying this regulation for several months now in preparation to answering the needs of our clients and published several resources on it. And now with it going into effect May 25, I wanted cover even more key points on it.
Aimed at protecting the rights of European resident citizens, GDPR became law in April of 2016. While lawmakers granted a 2-year review period in order for companies to get their house in order, it’s clear that 2 years may not have been enough time for comprehension and adoption. Now with little over a month to go, GDPR is on its way and it seems that GDPR non-compliance will be viewed dimly.
One of the mistakes with GDPR was the misunderstanding of which firms this applied to. Even US-based firms who either operate inside or outside of the EU fall under the line of fire of GDPR compliance. The key trigger is focused on the collection, storage and processing of EU citizen data. Where that data is stored not only brings the primary organization under GDPR regulations, but triggers the same requirement of the third party vendors which may either be part of the overall business transaction or simply acting as a storage provider.
Third and Fourth Party Vendor Oversight Responsibilities
As in traditional oversight and US-based regulations, such as OCC–2017-7 and OCC 2013–29, the regulators recognize the use of the third party vendors and the resulting emphasis moves not just on the traditional core processors or fulfillment vendors, but really focuses the attention of the storage providers who have mountains of data. GDPR makes a point of including cloud providers under their jurisdiction. This addresses the lack of transparency of just what kind of data businesses collect on their consumers.
While each primary business will have to address their own internal GDPR compliance, from a third party risk perspective, internal information security and third party risk management teams will need to address data privacy and transparency of their own vendors. It promises to be a watershed moment as an industry begins to recognize just how much personal data is being collected and for the purposes it is being used for. As is the established practice of owning third party risk, the same is true in GDPR. The primary business is responsible for assessing and managing the data privacy of its data subjects which are being handled by their third party vendors.
Within the realms of third party risk, attention must be given to a vendor’s compliance management system. Since the vendor operates as an extension of your own brand, the regulatory compliance aspect of not only GDPR but general compliance requirements really begin to shine through. Additionally, this goes deeper than the confirmation that a vendor is GDPR compliant. Many vendors may state that they are XYZ compliant, but the real test is handling the fallout from a breach or successfully surviving an official regulatory examination.
The Potentially Crippling Monetary Fines as The Result of GDPR Violation
As we have noted in earlier commentary, GDPR has a hefty regulatory fine attached for non-compliance - 4% of the Global Revenue or 20 million euros, whichever is greater. To put this into context, if the recently disclosed Facebook breach had impacted European residents, the potential monetary fine was reported to be in the region of $2.8 billion. While a giant like Facebook could survive such a fiscal blow, many smaller companies may not be so lucky. If your vendor could not survive a 20 million euro or $25 million GDPR fine, the impact on your organization could quickly spiral.
This itself makes a case why fundamental best practices of reviewing a vendor’s financial health and their compliance management systems may or may not provide peace of mind. Like financial institutions, one should look at the GDPR regulatory fines as a stress test for vendors to stand up against. If their financial health is weak and you believe GDPR applies to them, then you must follow the flags to ensure that they are truly GDPR ready and compliant. This is not something you can simply take their word for.
The key pillars of vendor oversight immediately become a viable best practice and may save you from what is sure to become a very common headache for all who fall under the far-reaching requirements of the GDPR regulation.
One of The Keys to GDPR Compliance: Updated Policy, Program and Procedure Documents
After reviewing your business model and recognizing the requirement of GDPR necessity, it's vital that you not only review the regulation and enforce the many steps to achieve GDPR compliance, but you should also update your internal policy and procedures to reflect the changes that your organization has made to demonstrate adoption. As a follow up, it would also be important to review your vendor's own internal policy and procedures to better assure you of their readiness and GDPR compliance.