Risk is a risk hazard, whether a company is large or small. Since the GDPR is now fully implemented, organizations must follow best practices that are compliant.
These include a robust vendor risk management program to help identify, track and monitor your company’s risk exposure. Under GDPR, your organization may face penalties, fines and other possible legal consequences.
The EU General Data Protection Regulation (GDPR) is considering that all e-commerce is in contact with cybercriminals. Data breaches of confidential information of consumers are reported almost every day. Although consumer data privacy concerns are most commonly cited, the scope of citizen data under the GDPR is also extended to accommodate payroll or healthcare data.
To be prepared for GDPR, companies will need to overhaul some important business operations, and their vendor risk management programs are among them. The language expressed in the GDPR on data processors and controllers clearly states that you are legally accountable if you experience the inclusion of customer data if you violate one of your third-party processors.
There are many articles in GDPR that affect data processing from both processors and controllers. To be specific, Article 28 states that controllers must use processors with sufficient practical and provisional guarantees. In addition, they should have appropriate organization and technical measures that protect subject data rights.
This means that you will have to apply with due diligence and test your third party vendors to verify that they meet GDPR compliance requirements. Also, the entire process of verification has to be documented.
To help your seller risk management program understand how GDPR compliance is affected, first ask yourself a few questions:
- What kind of personally different data do you and your vendors collect, process or store?
- Who processes personal information on your behalf?
- Where do you store your data?
- How and when is this data dealt with?
- Is this data for EU residents or citizens?
- What personal data do you process?
- For what purpose is this data processed?
- Who can access such information?
Do you have policies and procedures to control your data collection, use and compliance?
What controllers and processors are there to take control and precautionary measures to protect the personal information of your employees / customers?
What are your procedures for breech notifications?
If you want to identify key risk areas, ask yourself these important questions:
Have you informed your EU citizens that you are sharing their information with third parties?
Are you confident that your middlemen assure an adequate level of protection? How can you validate it?
Do you conduct seller risk assessments to find out the impact of GDPR and how it affects you and your sellers?
Do you conduct data privacy impact assessments before bringing new systems or vendors on board?
Have you developed policies and procedures for onboarding / closing vendors, monitoring and regularly assessing their compliance?
If you are a high-risk vendor, are you testing control of internal data sources and on-site reviews to avoid data being changed or deleted by vendors?
Have you centralized your vendor management program?
Under GDPR, any data breaches have to be reported to authorities within 72 hours. If there is evidence of mistrust between organizations and third-party vendors who are reluctant to notify their customers of your data breach, then you under GDPR.
If you are covered by GDPR, update your policies and programs as it affects legal, compliance and third party risks. Unproductive effects can lead to reputational losses from monetary fines, regulatory pressures and customer mistrust.
When updating your internal policies and programs, this should also include your third-party vendors. Depending on the size of your organization, the amount of data you collect will determine whether your data privacy officer can formally manage your data security. This will make your case stronger and understand your vendors’ adherence to compliance with the regulation.
Soon you will need to show your GDPR compliance and vendor management. Audits will be conducted, and they will evaluate, inquire and test your vendor risk management behavior.