On 25th May 2018 the European Union’s General Data Protection Regulation (GDPR) came into force. Developed to give individuals greater control over their personal data, and assurance that it is being managed securely and in accordance with the purposes for which it was collected, it replaced the Data Protection Directive with the intention of harmonising rules and enforcement across EU member states.
Despite its name, GDPR has global ramifications. It’s not simply local businesses that have to conform to the law, but any firm that handles data on any European citizen.
Required amendments run deep
In order to hand power back to the consumer (or data ‘subject’ as they’re referred to in the wording) ensuring compliance has required many businesses (data ‘controllers’) to make huge changes to how they collect, store and process information. And, despite the regulation being in the offing for a while, various reports indicate that many still aren’t completely ready. EY’s Global Forensic Data Analytics Survey 2018 revealed that only one third of global firms are prepared, for example.
GDPR requires a shake-up of data processes and most organisations have been relying on legacy systems and traditional ways of working for years. As such, making the required amendments takes a lot of legwork and many were not prepared for how deep the changes need to go.
With so much to do internally it would be easy for businesses to operate with the blinkers on in order to get things over the line. However, not paying enough focus to what’s going on externally could see them falling short in one area – third party actions.
Businesses are responsible for their third parties
GDPR holds businesses liable for the actions of third parties (data ‘processors’). Article 28 reads “Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject”. Should organisations not follow this and a third party within the network is found to be falling short, they will feel the force of the regulators and will likely be fined.
In order to ensure compliance, businesses must understand how they interact with third parties. Different departments typically cooperate with numerous processors, so it’s imperative that companies know which unit has granted access to whom, what information is being shared, as well as the types of processing activities being performed. For transparency, contracts should state exactly who is accountable for each specific task in regards to data protection and compliance.
As for the processors, they are only supposed to use data as instructed by the controllers and to return or delete information once it’s fulfilled its intended usage. They cannot sub-contract to an additional third party without written consent from the controller and any that are permitted are again subject to GDPR, as well as the original contract. In cases of data loss, processors will assist the controller in fulfilling the regulation’s notification obligations, which could mean disclosing to regulators and subjects.
Building a comprehensive GDPR programme that covers third party networks
Creating new policies that ensure GDPR compliance has resulted in many ripping up existing ones and starting again, but the shared liability clause adds complexity. Making it work requires visibility into the risk, controls and compliance status of third parties, and with so many businesses un-prepared it’s quite likely that some processors within networks pose a non-compliance risk.
To accelerate the process of ensuring compliance across networks, there are some steps businesses can take.
1. Conduct an audit of the current data processors in use. Ask every unit and department what additional services they are using as some may not realise what counts as a processor. If they use a survey application for market research, for example, the business must be aware of them and what information is being processed. A key principle of privacy by design is “data minimisation”, and ensuring that only the minimum required personal data is being collected and shared through third parties will mitigate risk.
2.Segment and categorise third parties based on data accessibility, as well as the criticality of data that they manage. Conduct Data Protection Impact Assessments (DPIAs) on any that have access to personal data, and evaluate their ability to comply with GDPR requirements. This should involve defining assessment checklists, which will identify the controls that they have in place for data processing, accessibility, erasure, record maintenance, notifications, and sub-contracting. High-risk third parties should be prioritised for auditing.
3. Develop a new risk-based approach to third party due diligence. Business should only be conducted with new processors once they have rigorously evaluated, and the department responsible for conducting analysis should be set out in the policies. Moreover, it must be communicated to all employees that they cannot agree to a new service without the proper checks. Educating employees around GDPR and best practice data handling measures will also help to strengthen the business’ overall cybersecurity risk posture.
4. Ensure that policies and technologies are in place to detect data loss, as well as to communicate the incidents to internal departments and the third parties that they manage. These policies and procedures should include details on the importance of notifying regulatory bodies promptly when a data breach or other violation occurs. Similarly, third party incident reporting mechanisms should be implemented to ensure any events are immediately reported up the chain so any potential impact is mitigated.
Ultimately, GDPR has been introduced to safeguard individuals. The older rules were created at a time when data collection and use was simply nowhere near today’s levels – and it no longer provided sufficient protection. With GDPR now in enforcement, businesses will be aware of the potential implications of non-compliance. It’s imperative that they ensure that third parties are working to a standard of data protection that matches their own.
French Caldwell, chief evangelist, MetricStream
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/