What is vendor risk management?
The process of managing security risks posed by third parties, and ensuring that the organisation is compliant with data protection laws, is known as “vendor risk management” or “third-party risk management”.
If an organisation is trusting a supplier to process its personal data (and often large amounts of it), conducting an assessment of the risk involved is essential to protect not just the reputation of the business, but most importantly, the rights and freedoms of the subjects whose personal data is being processed.
When is outsourcing necessary?
Nowadays, outsourcing is, in many cases, a crucial part of running a business. If an organisation doesn’t have the capacity, resources, or expertise to fulfil certain duties, then the best idea is usually to seek external support. It also may simply be a more cost-effective solution than trying to carry out these functions in-house.
Outsourcing is therefore a very common part of running a business. In fact, some of the largest companies in the world – such as Google and Microsoft – rely heavily on outsourcing work to external vendors. This ranges from HR, finance, IT support, and many other business activities – including something we provide at DPAS, an outsourced Data Protection Officer (DPO) service. Other third parties often outsourced to are IT suppliers and cloud solutions, such as those used to facilitate card payments, and those used to store data.
However, can the third party be relied upon to safeguard the personal data you trust them with?
The risks of procuring new suppliers
When onboarding a new supplier, organisations should be entirely confident that this supplier will prioritise privacy and comply with data protection laws. As Article 28 of the GDPR sets out:
“Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”
Without this assurance, businesses run the risk of outsourcing to third parties that may, unbeknownst to the organisation utilising them, pose a risk to the valuable data being processed.
In fact, many departments in larger organisations will often procure their own suppliers, sometimes neglecting to involve Procurement, Legal or the Data Protection Officer. In these cases, there may be issues regarding the third party’s adherence to stringent data protection regulations further down the line. Therefore, carrying out due diligence prior to onboarding is an essential part of the process. After all, it’s better to be safe than sorry.
Managing the risks associated with third party processing
There are numerous potential risks involved when implementing a third party vendor into a business’s operations. One of the most significant ones lies in where the processor stores/hosts data, as there may be international data transfer implications to consider depending on this – such as with SaaS or Cloud-based providers.
To combat these risks, the controller and the processor should enter into a Data Processing Agreement (DPA). Article 28 of the GDPR requires that any processor used provides “sufficient guarantees” that they implement appropriate technical and organisational measures to ensure that the processing will meet GDPR requirements and “ensure the protection of the rights of the data subject”.
This article also sets out that processing must be governed by a contract (or other legal act under domestic law), binding on the processor with regard to the processor. This contract should set out:
- The subject matter and duration of the processing
- The nature and purpose of the processing
- The type of personal data and categories of data subjects
- The obligations and rights of the controller
We recommend reading Article 28 in full for the complete list of requirements for what this agreement should stipulate.
Conducting a data protection impact assessment (DPIA)
As part of the necessary due diligence carried out before onboarding/implementing, a data protection impact assessment should be conducted. This will give a more straightforward idea of the risks associated with onboarding the third party, allowing the organisation to take a more informed approach.
While certainly a crucial task, a DPIA is only the first step toward ensuring that personal data controlled by an organisation isn’t put at risk. They will need to consider all aspects of data protection when implementing a new third party – including analysing the DPIA results for any potential risks and requiring third parties to remediate those risks.
Failing to conduct these assessments may have negative consequences including, as mentioned earlier, the loss of personal data and damage to your reputation as a result.
What to include in a DPIA
The GDPR (Recital 76) provides that when conducting a risk assessment, the likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. Article 35 provides additional guidance, for example, setting out that a DPIA must include, at least:
- a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
- an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
- an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and
- the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.
Unfortunately, when determining risks there is no ‘one size fits all’ approach that can be applied, but risk should be evaluated on the basis of an objective assessment. This will depend on a multitude of factors, including the type of processing that the third party is going to be used for, the categories of data being processed, the number of data subjects being processed, and how necessary this processing is for the functioning of the organisation.
How can DPAS help?
We can assist your organisation with its vendor risk management through our Third Party Supplier Review Service. Our data protection professionals can help you with your due diligence by conducting an effective review, so that your organisation can confidently outsource to a third party without doubting the privacy of the personal data it processes.
If you’d like to talk to us more about how we can help, either give us a call on 0203 3013384 or send us an email at info@dataprivacyadvisory.com – or simply fill in a contact form, and we’ll get in touch with you.
Conducting a third party supplier review can be challenging, so let us make it simple for you.
