Managing Third-Party Cybersecurity Risk: Is your company GDPR-ready?
Companies have to practice ongoing vigilance and adopt scalable end-to-end processes to ensure the GDPR compliance of their third-party vendors.
The European Union’s General Data Protection Regulation (GDPR) took full effect on May 25, 2018, and companies both in the EU and around the globe now face unprecedented levels of scrutiny for their handling of private data. GDPR gives regulatory authorities greater powers to take action against companies that breach data privacy law, including penalties of up to 20M€ or 4% of a company’s annual global revenue.
While most businesses are aware of GDPR, too many have prepared by focusing on internal data handling policies and overlooking an even greater threat: third-party cybersecurity risk.
According to GDPR Article 28, companies are held accountable for the handling of data regardless of whether it’s in-house or by third-party vendors or partners.
“Where the processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this regulation and ensure the protection of the rights of the data subject.” – GDPR Article 28
This might seem like a secondary concern next to managing internal policies and procedures, but the fact is that third-party risk represents one of the largest and most overlooked threats to data security at large organizations today. Even though as many as 63% of data breaches take place through third-party vendors, few organizations treat third-party risk as a top cybersecurity concern. This will have to change under GDPR, or else businesses will face unprecedented consequences and fines.
It is crucial for businesses to understand how they are affected by GDPR’s third-party data handling regulations, and find a way of managing and scaling third-party risk assessments in order to ensure their GDPR readiness.
GDPR and Third-Party Cybersecurity Risk: Understanding Your Company’s Threats and Obligations
GDPR is one of the most sweeping data regulations ever to be enacted. Its broad scope is a game changer in the world of data privacy, and it has major effects on the way companies must manage third-party vendors.
- GDPR extraterritorial in scope, meaning it applies to any entity that touches the personal data of EU citizens regardless of where that entity is located.
- GDPR defines personal data in broad terms, and includes economic, cultural, physical, mental, genetic identifiers, in addition to social identifiers like name, phone number, address, etc.
- GDPR expands consumer rights, requiring new levels of access, consent, correction, data portability, and erasure.
This essentially means that individuals retain virtually unlimited control over all aspects of their personal data, and companies are obliged to comply or else face severe penalties. GDPR uses terms that set these standards as broadly as possible.
- The data subject referenced in Article 28 can be any “natural person whose personal data is processed by a controller or processor.”
- The data controller is “the entity that determines the purposes, conditions and means of the processing of personal data”
- The data processor is “the entity that processes data on behalf of the data controller.”
Companies are responsible for following GDPR when processing information from all data subjects, whether they collected the data themselves (data controller) or obtained it from elsewhere (data processor). Conversely, any company that collects user data (data controllers) must ensure that all of their third-party vendors (data processors) also meet GDPR regulations. This includes the provision of “privacy by design” (Article 25), which calls for data protection to be built into products and services, rather than being tackled as an afterthought. Companies need to design compliant policies, procedures, and systems at the outset of any product or process development.
In short, when it comes to following GDPR, third-party risk is indistinguishable from internal organizational risk.
In order to ensure their own compliance with the law, companies must employ a thorough, dependable, and scalable solution to assess the GDPR compliance and overall cybersecurity risks of their third-party vendors, ensuring that they all have proper procedures and policies in effect now and not after a breach happens.
Avoiding Third-Party Data Breaches: Steps Your Company Should Take Now to Ensure GDPR-Readiness
GDPR might seem overwhelming, but there are tangible steps that any organization can take now to ensure readiness for the sections pertaining to third-party vendor risk. These include the following:
- Appoint a Data Privacy or Compliance Officer. This person will be responsible for overseeing your company’s GDPR compliance and leading initiatives to fill any gaps.
- Map your data. Understand where all of your user data is located (i.e., which third-party vendors have access to it), which categories of data vendors can process and access, and what they are doing with this data.
- Make sure your company only collects data that is necessary, and regularly reviews the legal grounds for processing data in its possession.
- Allocate budget and resources for completing assessments of third-party vendors. This lets you determine the cybersecurity maturity of your third-party vendors and their level of compliance with GDPR when it comes to processing data.
- Review your contracts. GDPR contains new requirements for contracts with data processors, as well as between data controllers. Categorize your third-party vendors as as processors or controllers, and review contracts for compliance with GDPR.
- Complete a Pre-Implementation Assessment of all your third-party vendors that have access to or handle your client/personal data. This should ascertain: 1. Their awareness of GDPR; 2. That they have appropriate technical and organizational measures in place to comply.
- Ensure that third-party vendors are risk-scored according to assessments and other due diligence. Agree with your compliance team on remediation programs and ongoing monitoring requirements.
Some of these steps can be achieved with changes to internal policies, procedures, and personnel. However, organizations must adopt a scalable, end-to-end cybersecurity risk assessment solution in order to meet the new requirements for assessing the GDPR compliance of all of their vendors.
Ensure GDPR-Readiness with Scalable, Automated, and Analyst-Validated End-to-End Third-Party Cybersecurity Risk Management
GDPR’s requirements for third-party data processors bring a critical new level of importance to third-party risk assessments. This has hit companies across the boards with new demands, from IT departments tasked with finding organization-wide security solutions to Procurement departments suddenly dealing with new and more rigorous requirements in their buying process.
The most common practice is for IT departments to conduct vendor risk assessments with questionnaires that might be internally generated or part of a collaborative industry group. Procurement departments, for their part, have traditionally had to pass third-party risk assessments over to IT. With the growing volume of assessments under GDPR, and the meticulous care that has to be applied to each, these processes create a number of problems when it comes to scaling risk assessments.
- Scaling to assess thousands of vendors presents major hardships
- All vendors, large and small, represent a risk – there is no room for cutting corners to save time
Expertise and Staffing:
- Staffing a team is costly and time consuming
- Performing vendor assessments takes a lot of time
- Security teams are understaffed and over-tasked
- Security professionals are a scarce resource
- Recruiting the right people and keeping them is challenging
- Need to expand vendor assessments to 24/7, 365 days-a-year
- Need to assess vendors worldwide
- Need to function in various foreign languages
- Onboarding, assessing and monitoring is costly
- Time is money, and internal resources should be allocated to higher value tasks
CyberVadis is the first scalable solution to cover the full third-party risk assessment process by offering the speed of AI-based automation and the certainty of analyst-validated cybersecurity ratings. We cover every aspect of third-party risk assessments, from risk mapping, to creating customized questionnaires, to making sure vendors complete the process with our engagement team, to validating results, offering a detailed improvement plan, and enabling collaboration for follow up actions between companies and their vendors.