Can your third parties be trusted to protect your personal data? What the regulator wants you to demonstrate
April 12, 2019
The need to monitor third parties in the GDPR live environment is well understood. Even though I may have my own house in order, what if my third party causes me to breach the GDPR requirements? Whilst I may be on the right journey to getting my contracting in order, and I have the right to audit my supply chain and the data privacy controls they have in place in order to meet the Article 28 requirements, how is this going to work in practice and what is the regulator really going to be interested in?
There are some consistent themes that emerge when I look back over my experience working on regulatory compliance projects. Regulators want a clean bill of health but, underneath that, there are some key points that need to be considered to really get the regulator on side and build their confidence that you are not only taking this seriously, but that you’re taking it seriously for the long run.
A “one-size-fits-all” approach won’t cut it
The GDPR sets out that the data processors in my supply chain must make available to me all information necessary to demonstrate compliance with Article 28. But how should that work in practice? The GDPR requires taking a risk based approach and being able to evidence your accountability for your decisions. This cannot be achieved by simply taking a one size-fits all approach; obtaining only certifications at one end of the scale may not be enough and undertaking on-site audits or requesting independent formal assurance at the other end of the scale may be overkill. What is key is the ability to stratify the population from low to high risk, and design an ongoing monitoring / assurance response model that is in proportion to that risk.
Document your criteria and make it defendable in the context of your business
What is it that worries you most about your third parties, in the context of your business? Sensitivity of the data they hold, sub-outsourcing arrangements, previous audit issues, maturity of their control framework? The criteria should be considered, reviewed and approved by those charged with governance, and fed into the population stratification process. Is there a tail of third parties that you de-scoped for various reasons, if so, how do you have comfort over the tail? The regulator will want to understand why the business is comfortable to de-scope certain third parties.
Have the data at your fingertips by constructing a framework that has longevity
Regulators like to know that answers to their questions can be easily answered because the business has the information at its fingertips. It does not look good if you can’t quickly pull an inventory of your third parties because the list needs to be an amalgamation of remediation spreadsheets, new third parties and an email from the procurement department on changes to existing agreements. As discussed in my previous blog, you need a lean and nimble framework that can quickly react to the need for data, both from the regulator and from those charged with governance. Your business is constantly changing: vendors change, new risks emerge, breach incidents in the market inform your response, the bar for compliance rises. All of this means that the compliance framework needs to be agile to change. Tech enablement is key to that agility.
For further information on these and other insights, don’t hesitate to reach out.