Last week we released important information about understanding the impact GDPR has on third party risk. I have even more to tell. In this part 2 we’ll look a little deeper into chapters 2-4 and, specifically, some of the steps that your information security and third party risk management teams can adopt in order to address the growing concern around the new regulation.
As a refresher, GDPR stands for General Data Protection Regulation. This regulation has an effective date of May 25, 2018. The goal is to boost data privacy for European citizens. Noncompliance will be met with stiff penalties which will range from 4% of a firms’ global revenue or 20 million euros, whichever is greater. We have previously identified that there is a strong connection between data privacy and third party risk management for organizations globally. Ensuring that your organization is GDPR ready will require a concerted effort and involve many lines of business to satisfy the requirement. The clock is counting down.
Data Privacy Impact Assessment
Under Article 35, data controllers, aka the institution, should work in liaison with their Data Privacy Officer and perform what is a called a Data Privacy Impact Assessment (DPIA). As with traditional vendor oversight, taking inventory of the existing vendor panel provides a high-level view of the vendors you are working with.
In many respects, taking stock of the many data elements you are collecting on consumers is a primary function of being GDPR compliant. After all, the concern of data elements is the reverse engineering of hacked data points. If the data is controlled in a manner which provides anonymity, the concern is if the data can be linked to other data points and the identity of the data subject, aka the individual, become a known entity. For this reason, you should take inventory of the type of personal data you are collecting.
A key requirement here is to also understand if your elected data processor, aka the third party, is collecting additional data on the data subject. If there are additional data points which you are not aware that the third party is collecting, then the risk of identification of the data subject will potentially increase. Hence the purpose of the DPIA, which is to highlight just how big a risk the storage and access to the data subject information could represent not only to the personal welfare of the individuals’ own privacy rights, but also the considerable, financial and reputational risks that a data breach could present itself to your organization.
Under GDPR, should the amount and type of data collected be assessed as detrimental to the privacy rights of the individual, the completion of the DPIA is a requirement in order to be considered GDPR compliant.
GDPR Operational Adherence is Key in Establishing Trust with the Data Subject
Under GDPR, the individual has rights over and above the initial transparency rights of being informed that their data will be collected. So, while it's important that potential individuals are able to opt in with clear and transparent disclosure language, there's also a data portability requirement. Under GDPR, the individual is allowed to request and receive any data which has been collected on them. Under this right is also the right to be forgotten. This means that per the request, the data must be purged from all systems and also be provided back to the individual in a readily available and easily readable format.
Given the vast amount of data and consumers involved and impacted by GDPR, a gap analysis should be performed to ensure that the potential volume of requests can be handled in a timely fashion. Make no mistake, this is not as simple as receiving a customer inquiry. Transactional audit logs detailing inbound requests and the steps taken to satisfy the right to be forgotten may be reviewed during a GDPR compliance examination. Since the regulation is so new, we’re unable to say how deep initial examinations may go but given the stiff penalties set as part of this regulation, it suggests that regulators will undoubtedly look deeper into the adoption of GDPR compliance. Additional information regarding the individual right, referenced as the data subjects, can be found under Chapter 2, Articles 12–23.
As a practical step in addressing GDPR compliance, each organization believed to be impacted should take inventory of not only their vendor partners, but ascertain their global business footprint exposure, perform the DPIA and perform a thorough review of GDPR while incorporating the regulation into their overall compliance management system.
GDPR is sure to impact your vendor risk management policy, program and procedure documents. Download our infographic series so that you can revisit and amend them to include necessary GDPR precautions.