Third Party Thursday

March 29, 2018

How GDPR Impacts Third Party Risk Management

Podcast: Play in a new window | Download

While the General Data Protection Regulation, aka GDPR, is a European regulation, it has a global impact on any company which is collecting, storing or accessing European resident private data. The effective date of this regulation begins on May 25, 2018. Listen to Third Party Thursday to learn what you need to know about GDPR and third party risk in order to be prepared and stay in compliance.

Available on
Listen-on-Apple-Podcasts-badge.jpg  google-play-badge 2.jpg


Podcast Transcript

steve greenfield chief risk officerHello everyone, and thank you for joining me today for our Third Party Thursday podcast. I’m Steve Greenfield, Director of Third Party Risk here at Venminder. This week, we’ll discuss a pending regulation from across the Pond.  It’s the European Union’s GDPR. GDPR  stands for General Data Protection Regulation. 

As the name suggests, while this is a European regulation, it has a global impact on any company which is collecting, storing  or accessing European resident private data.  A common misconception is that the regulation only applies for firms who are doing business in Europe, however the export of this data off European soil also falls under the jurisdiction of the law. Cloud storage vendors for that matter, would therefore be required to be compliant with the regulation and would be classified as a data processor.

The regulation itself was passed by the European Union Parliament in April of 2016. After a 2-year implementation period, the effective date goes live on May 25, 2018, so time is running out. If your compliance team is behind the eight ball on this requirement, then I encourage you to make this a top priority in reviewing if you are responsible for compliance to GDPR.   

The regulation is timely given the increasing amount of known data breaches that continue to come to light. From a third party risk perspective, GDPR could be considered a regulation which puts third party risk management (TPRM) in the spotlight since there is a strong focus on third party vendors who have access to personal data. With known data breaches being linked to a third party vendor over 63% of the time, GDPR will essentially address the importance of not only citizens’ rights to data privacy but will also require that data breach notification time frames are adhered to.   

As with any regulation, noncompliance may result in fines. Monetary fines are set in place of up to four percent of a firm’s global revenue, or 20 million euros. Based on today’s exchange rates, this equates to about $24 million. This reminds me of the important fact of monitoring your vendor's financial health. The question to ask yourself is could they in fact survive such a fine and if they couldn’t do you have a backup plan in place? It’s a key aspect of vendor management.  

The regulation is broken down over 11 chapters and contains in total 99 articles. Each article really expands on the law itself and gives guidance to what you need to be looking for.  Areas include the basic principle of data privacy as a right of the individual, but also regulates the movement of private data. To empower citizens, there are specific rights provided which include the right to be forgotten, that is it say, that the data collected on the data subject can be removed from all storage systems at the data subject's request. It’s noted that there is a provision, however that the right to be forgotten does not apply if the data is being used for a criminal investigation or one that poses a threat to public safety. In the context of data privacy, the scope of the information which is collected and stored is not limited to the typical NPPI data that financial institutions are used to collecting such as social security records.  

Moving forward, IP addresses, biometric data, geographic location or other social factors which could be used to identify the individual all fall under the scope of the GDPR from the sense that this increasing amount of data collection can be used to identify the individual. 

We can’t cover everything in this podcast but I hope this gives you some initial information which you can use to begin thinking on how best you’ll tackle this important new regulation. For more resources, I encourage you to visit our company page at www.venminder.com 

Thanks again for tuning into our podcast. If you haven’t already done so, please subscribe to our Third Party Thursday series. Until next time, trust but verify.


Subscribe to our Third Party Thursday Newsletter


Join hundreds of clients and see how Venminder can help.