A GDPR Compliance Checklist for Third-Party Risk Management

Originally passed into law in May 2018, the General Data Protection Regulation (GDPR) is a privacy law that governs the use, movement, and protection of data collected on European Union (EU) citizens. The GDPR covers any organization that collects, stores, processes, or transfers personal data on individuals in Europe, regardless of the organization’s location.

Why Third-Party Risk Management Is Important in the GDPR

Because third parties are often responsible for managing personal data on behalf of their customers, organizations must take special care in ensuring those vendors and partners have data protection controls and governance in place. This involves conducting data privacy controls assessments; analyzing the results for potential risks; and requiring third parties remediate those risks to avoid regulatory, financial, and reputational exposures.

The EU aggressively enforces the GDPR, with several notable sanctions levied against companies with third-party failures, including:

• Luxembourg’s regulatory body fined Amazon €746 million for breaching GDPR, claiming that Amazon’s advertising system isn’t based on “free consent.”
• In early 2021, France’s data protection authority fined an unnamed data controller €150,000 and its third-party data controller €75,000 for failing to implement adequate security measures.
• The Data Protection Authority of Hamburg, Germany, fined clothing retailer H&M over €35 million for overly broad “monitoring of several hundred employees.”
• Google was fined €50 million by French data regulators for a “lack of transparency, inadequate information and lack of valid consent regarding ads personalization.”
• The UK’s Information Commissioner’s Office fined British Airways £20 million in 2018 for failing to protect the personal and financial details
  of 400,000 customers.

This post summarizes why organizations should care about GDPR and how they can assess their internal processes and third-party relationships against GDPR requirements.

Third-Party Risk Assessments Are Required Under GDPR

To protect themselves from risk, organizations are required by the GDPR to conduct risk assessments to identify risks both inside the organization and with any third party that will have access to personal data. Recital 76
– Risk Assessment – states that, “Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk.”

Organizations subject to GDPR regulations must ensure that they and their third parties protect the privacy of any personal information collected and/or processed. This means conducting a thorough evaluation of the risks present in each third party and ensuring that appropriate controls are in place to mitigate risk.

How Prevalent Helps Meet GDPR Third-Party Risk Requirements

The Prevalent Third-Party Risk Management Platform includes built-in capabilities to assess internal and external risks to consumer data, automate the remediation of findings, and report to regulators on progress. Prevalent:

• Offers a specific GDPR questionnaire in the Platform, querying the vendor on their technical and organizational measures to protect of the rights of the data subject per Article 28, paragraph 1.
• Provides data controllers with a 360-degree view of data processor risks via clear and concise reporting on control failures along with recommended remediations per Article 28, paragraph 3.
• Centralizes a data processor’s risk profile, enabling a thorough audit of processes mandated by the data controller per Article 28, paragraph 3.
• Provides ongoing periodic or secondary assessments to continually monitor the technical and organizational measures in place by the data processor to ensure a level of security appropriate to the risk, e.g. regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing per Article 32, paragraph 1.

For more details on how Prevalent can help organizations assess their third-party data protection controls to meet GDPR requirements, read The GDPR Third-Party Compliance Checklist or request a demo today. To learn how third-party risk management applies to 20+ other regulations, download The Third-Party Risk Management Compliance Handbook.