No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

Rethinking Third-Party Risk Management (TPRM) in the GDPR Regime

by Vandana Vaswani
September 17, 2018
in Data Privacy, Featured
businessman throwing dice

Building an Effective TPRM Framework

The GDPR imposes new rules on organizations to protect EU individuals’ personal data. Banks are responsible for EU personal data managed by their third parties, but are they ready to manage their third-party risk and comply with the GDPR? This article discuss GDPR requirements to strengthen banks’ third-party risk management.

General Data Protection Regulation (GDPR) Overview

The GDPR is a European law that will act as the primary regulation on how companies protect European Union (EU) citizens’ personal data. This law became effective on May 25, 2018 and extends the data rights of individuals, requiring organizations to take more steps to protect citizens’ data with them or with their third parties by taking the following steps:

  • Developing privacy policies and procedures to protect personal data
  • Adopting appropriate technical and organizational safeguards to protect the individual’s right to privacy

GDPR at a Glance

  1. Rights of Individuals – The GDPR provides the individual with enhanced rights regarding the processing of their personal data.
  2. Data Protection Officers – Organizations need to appoint a DPO where large-scale personal data processing is required.
  3. Privacy by Design – Organizations need to design compliance policies, procedures and systems to ensure the privacy of individuals’ personal data.
  4. Privacy Impact Assessment – A PIA needs to be conducted for third parties to identify and mitigate data privacy risks.
  5. Data Breach Notification – Data Controllers must notify the DPA and data subjects of any personal data breach within 72 hours of detection.

Key Roles in GDPR

To get a clear understanding of bank obligations under the GDPR, it is important to understand whether your role is of Data Controller or Data Processor. For example, a bank decides to outsource its customer personal data analytics task to a third party to understand spending habits or to monitor suspicious transactions, in which case:

How to Manage Third-Party Risk Under the GDPR

The GDPR has passed on the onus of protecting individuals’ data completely to the organizations generating the personal data and processing the data through third parties. Organizations that are data controllers or data processors need to have assurance that all of their third-party vendors and as well as their subcontractors also comply with the GDPR requirements.

The GDPR is not a one-time implementation regulation, but an ongoing process that requires periodic risk assessment for third-party vendors. Organizations are required to align their existing third-party risk management framework with GDPR requirements.

The following are components of an enhanced TPRM framework:

  • Gap analysis: Perform gap analysis to assess the current state of data protection rules and identify how data is flowing and used by third parties and their subcontractors.
  • Differentiating between Data Controllers and Data Processors: Organizations need to classify third parties and internal departments as Data Processors or Data Controllers.
  • Contract review: Organizations now have a legal obligation to establish contractual agreements between Data Controllers and Data Processors, with the terms clearly defining the roles, responsibilities and liabilities of both parties.
  • Conduct data privacy impact assessment: Conduct a privacy impact assessment (PIA) to identify and mitigate the data privacy risk of third parties and to assess third-party readiness in complying with GDPR by using the structured checklist.
  • Continuous monitoring: Continuously monitor the third party and their subcontractors to identify data privacy risk and set alerts for high-risk third parties and their subcontractors.
  • Subcontractor monitoring: Subcontractors also need to comply with GDPR requirements and must be required to assess the risk to the same extent as the processor.
  • Mechanism for incident reporting: Enable incident reporting mechanisms for internal departments and their third parties to report data privacy incidents and their potential impact. The regulation requires data breach notification to supervisory authorities within 72 hours of detection.
  • Ensure third parties are compliant: Organizations need to make sure their third parties are GDPR compliant and follow strict policies and controls and aligned with the organization’s policies and controls.

Key Considerations for Managing Third-Party Risk in the Age of GDPR

  • Know your data: Know how third parties access, store, process, use and transfer the personal data (i.e., the end-to-end data management cycle).
  • Extensive screening for third-party onboarding: Expand the scope of due diligence of third parties by adding privacy-related requirements and conducting a data privacy impact assessment while onboarding new third parties.
  • Third-party contracts: Review the legal clauses in vendor contracts to ensure they meet the GDPR requirement including by subcontractors.
  • Improve third-party risk assessments: Identify and communicate with data owners, perform data privacy risk assessments for all third parties that have access to personal data and enhance the TPRM framework with GDPR requirements (e.g., adding GDPR requirements in vendor risk scoring).
  • Risk-based continuous monitoring: Continuous monitoring of high-risk third parties.
  • Update your third-party risk management process: Profile third parties, classify them based on criticality and appoint a Data Privacy Officer (DPO) for monitoring GDPR compliance by third parties.
  • Implement and monitor controls: Define controls to protect personal data and continuously monitor the effectiveness of these controls. Also, define controls for data processing, accessibility, audit, record maintenance and subcontracting.
  • Establish policies and procedures: Establish policies and procedures to detect data breaches and establish incident reporting mechanisms for internal departments and their third parties.
  • Enhance IT systems: Enhance respective IT systems to comply with GDPR requirements .
  • Adding metadata: Add GDPR-related metadata to vendor data inventory.
  • Audits: Add privacy-related controls to the audit plan.

The Bottom Line

GDPR represents a sea change in business data. Banks need to take a very strict approach toward GDPR third-party compliance by taking proactive measures to ensure their vendors are up to snuff and that data is not exposed. It’s time for banks to upgrade their existing third-party risk management framework as per GDPR requirements, which will allow bank to assess third parties for GDPR compliance. It will also help banks to understand their current level of compliance with the GDPR and develop an action plan to mitigate data privacy risk.


Tags: GDPRThird Party Risk Management
Previous Post

Leadership Lessons from John McCain

Next Post

Directors’ and Officers’ Duty to Address Corporate Culture

Vandana Vaswani

Vandana Vaswani

Vandana Vaswani has over five years of industry experience in banking risk and compliance. She is a domain consultant with the risk management practice of the Banking and Financial Services (BFS) business unit at Tata Consultancy Services (TCS). She has worked with various large banking clients to support credit risk, operational risk and model risk engagements. Vandana can be reached at vandana.vaswani@tcs.com.

Related Posts

GAN Integrity TPRM & AI

Where TPRM Meets AI: Balancing Risk & Reward

by Corporate Compliance Insights
May 13, 2025

Is your organization prepared for the dual challenges of AI in third-party risk management? Whitepaper Where TPRM Meets AI: Balancing...

robot reviewing contract

9 Emerging Use Cases for AI in TPRM

by Miriam Konradsen Ayed and Craig Moss
May 6, 2025

(Sponsored) As third-party ecosystems grow more complex, compliance teams face mounting pressure to assess and monitor external relationships effectively. Miriam...

business relationship concept hands

Relationship (Owner) Goals: Why Half Your TPRM Red Flags Stay Hidden

by Chris Audet
April 9, 2025

The front-line staff who manage vendor relationships are uniquely positioned to spot problems before they escalate, yet many organizations fail...

avengers lego figures

Uniting Forces: Cross-Functional Approaches to Insider Threat Prevention

by Rachel L. Gerstein
April 8, 2025

Creating a structured framework that brings together security, HR, IT, legal and compliance teams to fight internal vulnerabilities

Next Post
man in suit with hands on woman's shoulders

Directors’ and Officers’ Duty to Address Corporate Culture

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights