The GDPR has imposed new rules on organisations to protect EU individuals’ personal data. Organisations are responsible for EU personal data managed by their third-parties, but are they ready to manage their third-party risk and comply with the GDPR?
Third-parties are intrinsic to the way most organisations process and manage personal data including everything from cloud platforms for data hosting, cloud hosted finance and HR applications through to marketing agencies and web technologies.
But how much risk do they present to the controllers themselves?
Our experience indicates that the majority of data breaches include the involvement of a third-party. Hard evidence to support this is limited with estimates varying between 12% (Radar Inc. research of 10,000 incidents from the past year) and 63% (Soha Systems research - go.soha.io) of breaches caused by the third-party supply chain. It’s safe to assume that the proportion is significant and destined to grow – as hackers realise that such platforms often represent a single point of failure for multiple organisations.
Under the GDPR, organisations have a legal responsibility to select and manage third-party processors responsibly and this white paper lays out our 6-step process for minimising your risks with third parties.
GDPR Recital 81:
“when entrusting a processor with processing activities, the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of this Regulation”
The following process should be treated as a basic framework. Importantly while the sequence & emphasis of these different steps may vary within each organisation, all of the steps should be demonstrable in every organisation. Remember that demonstrability and accountability are fundamental requirements for GDPR compliance.
Additionally, there should be clear responsibilities allocated within the organisation for ensuring that these steps are utilised as required, these responsibilities should also be clearly documented.
The last fundamental is recognising and embracing this as an on-going process. This forms a type of “Plan-Do-Check-Act” cycle that underpins many active management processes and should be familiar to many. Suppliers and the work they undertake is a dynamic picture in most organisations so treating this as a one-off process will at best reduce risks only in the very short term.
GDPR mandates that most larger organisations are required to maintain comprehensive documentation including comprehensive details of all processors. However, in practice, we find that many organisations are not sufficiently aware of the full range of third-parties that are engaged. In particular, cloud-based services can often be engaged outside of an organisation’s standard procurement processes and beyond its traditional information security controls.
It is impossible to manage third-party risks without a complete understanding of who they are and what they do. The first step is to develop an internal process to build and maintain a full list of such suppliers which needs to identify for each processor the following:
Building (and importantly maintaining) this list is often best accomplished by using an appropriate mixture of questionnaires, interviews and reconciliation with other sources (such as from the organisations purchase ledger and/or contracts library.
GDPR Article 30:
“Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.”
The organisation should have policies for privacy practice which should be enacted with the use of standardised Data Processing Agreements (DPA’s), Non-Disclosure Agreements (NDA’s) and Supplier Contracts.
This framework of documents should be developed and maintained – and all agreements with third parties should reflect the acceptable minimum data processing terms that they contain.
These important tools in managing your relationships are not only great evidence of your commitment but also lay the groundwork for negotiation and selection of suppliers who can operate to the standards expected of the organisation.
Some key points to remember when contracting include:
Importantly it may not always be possible to use your contract – particularly if you are a smaller organisation contracting with a big supplier. Examples might include Microsoft and Salesforce, two processors where you are mandated to use their standard contractual terms. In this situation the proposed contracts should be reviewed and terms which are inconsistent with your organisational standards should be identified and the risks evaluated – and signed off by senior management as required.
GDPR Article 28:
“a processor shall be governed by a contract… …that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller”
It’s now becoming commonplace for organisations to issue a standardised questionnaire to prospective suppliers to understand their capabilities on managing privacy and security. This dialogue is a valuable step in evaluating risk however we don’t always find that these ask the right questions in the right way.
It’s important to ensure the questions being asked are relevant to the processing being undertaken. For example:
Importantly the same questions should be asked of the sub-processors that the proposed suppliers might use – and it’s often here that the greatest risks are to be found. Ensure that your questionnaire asks detail around these and be prepared to go directly to the sub-processor if they are significant – any resistance to this by your supplier should be noted carefully.
Like all good interviews your questions you should focus on “open” rather than “closed” questions. Ask “how” rather than “do you” – and then carefully consider the results.
Assess the risk of the responses you did receive and then triage into three main groups. OK, Acceptable Risk and High Risk. Where risks are unacceptable, then either agree remediation with the supplier prior to placing the work (see Stage 5 Fix) or select a different supplier. No response should be interpreted as “High Risk”
Ensure your documentation is updated – and don’t forget to repeat the assessment at a suitable interval or when the processing is changed.
"The processor shall not engage another processor without prior specific or general written authorisation of the controller”
Where the risks appear to be high, the processing is sensitive or the results of the assessment appear unclear you might consider putting “boots on the ground” and undertaking an onsite audit on the supplier.
A robust audit will be both interview and evidence based and include:
Importantly the results should always be shared to enable the processor to improve their governance processes. Immediate or critical issues might be raised prior to leaving the site.
GDPR Article 28:
“[the contract shall]… …allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.”
The assessment and audit stages can both result in identified issues and risks. Sometimes the risks will be acceptable to the stakeholders “as is” but in many cases something will need to change to ensure the processing is now acceptable.
Before you can approach the third-party, the acceptable remediation must be agreed internally with key stakeholders. The third-party should be appraised of these changed requirements and the reasoning carefully explained.
Once agreed then a timescale and project plan steps should be confirmed and centrally documented to form part of centralised privacy documentation.
It may be important to closely monitor progress (this will depend on the scale of the change) and once complete the modification should be thoroughly tested and a formal sign off agreed.
Some third-party relationships may be sufficiently important, sensitive or risky such that some form of testing or monitoring is essential to ensure that the third-party process continues to operate as expected.
DQM GRC recommends two tools that can be used:
1) Data Seeding & Tracking
Insert unique “tracking records” into the data that is either being gathered or processed by the third- party and then monitor how these records are contacted and used. Importantly, log carefully every instance of use of the “tracking records” and compare to what should be allowed or expected from this process. This will provide invaluable insight into the effectiveness of the processing and quickly reveal if the data is being used in unexpected ways – ultimately this can detect a data breach and give early warning of impending problems.
2) Data Subjects Rights Testing
This is a more proactive testing approach where you can test how effective your organisations ability to respond to (for example) a data subject access request.
Engage the help of existing customers or prospects and get them to issue DSAR, change data, restrict processing or other right. Try this in different ways and by different contact media, then carefully monitor what happens. This kind of “mystery shopping” for privacy processes often results in real surprises. When DQM GRC undertakes these exercises on behalf of clients, it is normal for us to discover that many requests simply don’t make it to the customers privacy team from the third-party until it’s too late (if at all). This practice can help identify the shortfalls in this communication and improve the service offered by the third-party.
While not part of our 6-Step process, it’s worth understanding the value of certifications and “Privacy Seals” when selecting suppliers.
The GDPR “pushes” regulators to introduce certification schemes to enable both consumers and organisations who are selecting services or suppliers to consider privacy easily in their decision making.
The ICO (and equivalent bodies in other regions) will approve and publish certification criteria for certification schemes, accredited certification bodies (third-party assessors) will then be able to issue certification schemes and organisations will then apply for certification, be audited and use these “badges” as part of their demonstrable approach to privacy.
As of January 2019, there are no such schemes available, however, the ICO have allocated internal responsibility and are working with European Data Protection Board to develop suitable criteria.
We would envisage such schemes becoming available in 2020.
GDPR Article 42: “[the supervisory authorities shall encourage] the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors.”
Third-party processors constitute a significant GDPR risk. Using the 6-Step process outlined in this document will mitigate these risks considerably. DQM GRC have unrivalled experience with 20 years of third-party management and can help at every step.
If you would like to contact us further to find out more then please use the form below or call us on 01494 442900.
Further reading from the ICO:
Controllers and processors under the GDPR:
Guidance on contracts and liabilities between controllers and processors: