Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit


Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

About

Venminder is an industry recognized leader of third-party risk management solutions. 

Our Customers

Over 800 organizations use Venminder today to proactively manage and mitigate vendor risks.

Get Engaged

We provide lots of ways for you to stay up-to-date on the latest best practices and trends.

Gartner 2020
Venminder received high scores in the Gartner Critical Capabilities for IT Vendor Risk Management Tools 2020 Report

READ REPORT

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

Join the thousands of risk and compliance professionals who subscribe to Venminder

GDPR and The Third Party Risk Management Implications

4 min read
Featured Image

Effective May 25, 2018, the General Data Privacy Regulation (GDPR), a European Union (EU) regulation which formally became law in 2016, will bolster data privacy rights for European citizens.

The regulation itself will standardize data privacy across all EU member states and mandate that organizations who process, store, access or market data will be required to maintain certain standards and implement protocols around data access, consumer authorization and data breach notification.

Why The Two-Year Gap?

The two-year gap between 2016 and 2018 was put into place purposefully to allow time for organizations to learn more about the requirements and include protocols to boost their own internal compliance management systems.

The requirements are robust and the implications for businesses can be imposing given the level of knowledge and danger of data mishandling currently present in data security issues.

Overall, How Do You Know If You're Affected?

As stated above, this regulation affects those who serve EU member states. And, the regulation does have implications for US-based firms who may have access to EU personal data. So, you should know that based off your customer database. Keep reading to learn more, though, as it impacts a lot more organizations than you may initially assume.

Repercussions for Noncompliance

Fines for noncompliance are hefty and can be as much as 4% of global revenue or 20 million Euros, whichever is less.

Given the massive data breach of Equifax in 2017, GDPR could have resulted in massive fines for the EU operation of Equifax had the law been active at the time of the data breach. Equifax reported additional breaches shortly after the US breach, which also impacted South American and EU citizens.

Across the Pond in the UK

GDPR was passed prior to Brexit so it remains to be seen how the UK will adopt or implement the more robust requirements of GDPR from its current data privacy laws. However, any UK firm managing data on EU subjects would be subject to the fallout.

GDPR’s Impact on Financial Services

In mortgage banking, security brokerages and like industries part of the transactional processing will be performed by third party vendors.

Take for instance Equifax and CoreLogic - two giant data aggregators with vast amounts of personal data. Since both entities operate globally, there is concern that EU data is being stored and accessed within the two organizations, but also stored in other systems such as data centers or the cloud. Under the GDPR regulation, cloud providers are not exempt. 

GDPR’s Impact on Housing Finance

For mortgage banking, on the loan allocation (1003), lenders ask for an applicant to disclose if they are a US citizen. If the answer is no, then the applicant would be required to provide additional data.

Due diligence would require that proof of citizenship is obtained and verified. This search should be easy to run and would allow a financial institution to account for EU citizenship data that it may have collected. At the very least, the financial institution would be able to then account for all the places this data may have been transferred to as part of the financial transaction.

Anyone accessing or processing this data should trigger the GDPR review to ensure that they are complying.

Vendors which may trigger this additional review:

  • International Credit Vendors
  • Global Data Aggregators
  • Translation Services
  • Push to Pay Fintech
  • Cloud Providers

Rights and Responsibilities

Let’s go through rights and responsibilities related to GDPR’s recent expectations. Some of these rights and responsibilities are not absolutes and may not be enforced based on certain requirement. This is not an exhaustive list, so it should not be used as a check-box activity but rather used as a guide.

Rights of the individual/customer of the organizations affected by this regulation:

  • The right to refuse to become a data subject
  • The right to be informed
  • The right to restrict processing
  • Data Portability
  • The right to be forgotten
  • Rights related to automated decision making and profiling

Responsibilities of the organization affected by this regulation:

  • Must appoint a dedicated Data Protection Officer depending on size of organization and nature of business.
  • Is responsible to report a data breach to the impacted EU citizen and Data Privacy Agency.
  • Must monitor the access to this personal data and audit for reason behind any organization accessing the data.
  • Has 72 hours to report data breach from the time of discovery. This means confirmed discovery not suspected and varies by definition of serious impact to the subject.
  • Must issue clear “Opt IN” and approval language for the Individual to acknowledge their rights under GDPR.

Personal data is classified as information which can be used to identify an EU citizen. This includes a name, photo, email address, bank details, social media posts, medical information and computer IP address.

Reviewing Your Fourth Party Relationships Will Help You Stay Ahead

Since the use of independent data centers are viewed as fourth parties, it is evident that the EU law GDPR may have a global impact.

The requirement for robust third party risk management oversight will be highlighted as an important area of concern for organizations who outsource processes or data and, in turn, it makes for a strong case that third party risk management must go deeper than just the initial third party relationship. Follow the spider web of who has access to PII (Personal Identifying Information), not only for your primary customer base but also those international third and fourth parties you may have conducted business with.

With that in mind, now is the time to take stock of your customer database and review the vendors which encounter their personal information. 

Learn more about vendor data security by downloading our infographic on the CIA information security triad

Creating an Effective Vendor Contract Management System eBook

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo