Rethinking Third-Party Risk Management (TPRM) in the GDPR Regime

Building an Effective TPRM Framework

The GDPR imposes new rules on organizations to protect EU individuals’ personal data. Banks are responsible for EU personal data managed by their third parties, but are they ready to manage their third-party risk and comply with the GDPR? This article discuss GDPR requirements to strengthen banks’ third-party risk management.

General Data Protection Regulation (GDPR) Overview

The GDPR is a European law that will act as the primary regulation on how companies protect European Union (EU) citizens’ personal data. This law became effective on May 25, 2018 and extends the data rights of individuals, requiring organizations to take more steps to protect citizens’ data with them or with their third parties by taking the following steps:

• Developing privacy policies and procedures to protect personal data
• Adopting appropriate technical and organizational safeguards to protect the individual’s right to privacy

GDPR at a Glance

1. Rights of Individuals – The GDPR provides the individual with enhanced rights regarding the processing of their personal data.
2. Data Protection Officers – Organizations need to appoint a DPO where large-scale personal data processing is required.
3. Privacy by Design – Organizations need to design compliance policies, procedures and systems to ensure the privacy of individuals’ personal data.
4. Privacy Impact Assessment – A PIA needs to be conducted for third parties to identify and mitigate data privacy risks.
5. Data Breach Notification – Data Controllers must notify the DPA and data subjects of any personal data breach within 72 hours of detection.

Key Roles in GDPR

To get a clear understanding of bank obligations under the GDPR, it is important to understand whether your role is of Data Controller or Data Processor. For example, a bank decides to outsource its customer personal data analytics task to a third party to understand spending habits or to monitor suspicious transactions, in which case:

How to Manage Third-Party Risk Under the GDPR

The GDPR has passed on the onus of protecting individuals’ data completely to the organizations generating the personal data and processing the data through third parties. Organizations that are data controllers or data processors need to have assurance that all of their third-party vendors and as well as their subcontractors also comply with the GDPR requirements.

The GDPR is not a one-time implementation regulation, but an ongoing process that requires periodic risk assessment for third-party vendors. Organizations are required to align their existing third-party risk management framework with GDPR requirements.

The following are components of an enhanced TPRM framework:

• Gap analysis: Perform gap analysis to assess the current state of data protection rules and identify how data is flowing and used by third parties and their subcontractors.
• Differentiating between Data Controllers and Data Processors: Organizations need to classify third parties and internal departments as Data Processors or Data Controllers.
• Contract review: Organizations now have a legal obligation to establish contractual agreements between Data Controllers and Data Processors, with the terms clearly defining the roles, responsibilities and liabilities of both parties.
• Conduct data privacy impact assessment: Conduct a privacy impact assessment (PIA) to identify and mitigate the data privacy risk of third parties and to assess third-party readiness in complying with GDPR by using the structured checklist.
• Continuous monitoring: Continuously monitor the third party and their subcontractors to identify data privacy risk and set alerts for high-risk third parties and their subcontractors.
• Subcontractor monitoring: Subcontractors also need to comply with GDPR requirements and must be required to assess the risk to the same extent as the processor.
• Mechanism for incident reporting: Enable incident reporting mechanisms for internal departments and their third parties to report data privacy incidents and their potential impact. The regulation requires data breach notification to supervisory authorities within 72 hours of detection.
• Ensure third parties are compliant: Organizations need to make sure their third parties are GDPR compliant and follow strict policies and controls and aligned with the organization’s policies and controls.

Key Considerations for Managing Third-Party Risk in the Age of GDPR

• Know your data: Know how third parties access, store, process, use and transfer the personal data (i.e., the end-to-end data management cycle).
• Extensive screening for third-party onboarding: Expand the scope of due diligence of third parties by adding privacy-related requirements and conducting a data privacy impact assessment while onboarding new third parties.
• Third-party contracts: Review the legal clauses in vendor contracts to ensure they meet the GDPR requirement including by subcontractors.
• Improve third-party risk assessments: Identify and communicate with data owners, perform data privacy risk assessments for all third parties that have access to personal data and enhance the TPRM framework with GDPR requirements (e.g., adding GDPR requirements in vendor risk scoring).
• Risk-based continuous monitoring: Continuous monitoring of high-risk third parties.
• Update your third-party risk management process: Profile third parties, classify them based on criticality and appoint a Data Privacy Officer (DPO) for monitoring GDPR compliance by third parties.
• Implement and monitor controls: Define controls to protect personal data and continuously monitor the effectiveness of these controls. Also, define controls for data processing, accessibility, audit, record maintenance and subcontracting.
• Establish policies and procedures: Establish policies and procedures to detect data breaches and establish incident reporting mechanisms for internal departments and their third parties.
• Enhance IT systems: Enhance respective IT systems to comply with GDPR requirements .
• Adding metadata: Add GDPR-related metadata to vendor data inventory.
• Audits: Add privacy-related controls to the audit plan.

The Bottom Line

GDPR represents a sea change in business data. Banks need to take a very strict approach toward GDPR third-party compliance by taking proactive measures to ensure their vendors are up to snuff and that data is not exposed. It’s time for banks to upgrade their existing third-party risk management framework as per GDPR requirements, which will allow bank to assess third parties for GDPR compliance. It will also help banks to understand their current level of compliance with the GDPR and develop an action plan to mitigate data privacy risk.