Why Third-party Vendors Are About to Become a Significant Risk to Your Business
While the recent news cycle has been dominated by articles concerning Russian government hackers using Russian security software to steal classified US information, one of the biggest security and compliance stories is flying under the radar, especially here in the US. The big story businesses worldwide should be focusing on is the impending European Union (EU) General Data Protection Regulation (GDPR), which takes effect May 25, 2018. The GDPR will have wide-ranging, global business implications as it harmonizes data privacy laws across Europe and beyond, to protect and empower all EU citizens’ data privacy and reshapes the way organizations across the region approach data privacy.
Some might ask “why should my business care about the GDPR if my company is outside of the EU?” The GDPR applies to all organizations outside the EU that process personal data for the offer of goods and services to the EU, or monitor the behavior of data subjects within the EU. This means if your company does any business in the EU or with EU citizens, you should be working on GDPR compliance NOW because the penalty for non-compliance can be big. Really big.
Just how big? Well, with potential penalties as high as 20 million euros (US $23.5 million) or up to 4 percent of a company’s worldwide revenue, whichever is higher, companies doing business in the EU can possibly face severe financial consequences for non-GDPR compliance.
There are plenty of articles about GDPR and the steps companies need to take to ensure they are on the right the path to demonstrate compliance of their data security and privacy practices, such as here and here. Instead of going this route, this post will delve into an area of GDPR compliance that receives less buzz but is equally important–third-party vendor management.
Did you know that the GDPR extends beyond the internal organization and includes a company’s third-party vendors as well? And that GDPR-applicable companies are explicitly responsible for the readiness and conduct of their third-party vendors that are storing or processing EU-relevant information? When you add in the multitudes of third parties a single company works with, it’s going to be a huge challenge managing all of them for GDPR compliance, and preventing a potential financial mess.
One of many possible examples of a GDPR third-party relationship is a US company that does business across the globe, and works with a third-party service provider to communicate, collaborate and connect with employees, partners and customers in the EU. The provider might provide an adequate level of service at a cheap price point, but how much is really known about its business practices, and can the relationship become a potential risk? Since the service provider processes personal data on behalf of the company, the company is responsible for all actions taken by the service provider concerning the proper or improper handling of data. The company is also liable for who exactly is handling the data as the GDPR states that the service provider is not permitted to subcontract their services without approval from the company.
It seems like a daunting task, but what can companies do to mitigate the risks of working with third-party vendors? Below is a list of things to consider when managing third-party vendors for GDPR compliance:
- Don’t assume your third-party vendors take security and compliance seriously, let alone are GDPR compliant
- Clearly define all of the areas and activities in which GDPR is in scope, and have your third-party vendors agree and provide signed contractual assurances they will achieve all the GDPR compliance intricacies prior to May 25, 2018
- Agree that your third-party vendors will not outsource any GDPR-relevant scoped services without written approval
- Do your due diligence and regularly audit your third-party vendors’ processes
- Make sure your third-party vendors provide thorough background checks for all staff and contractors–not just credit and employment but criminal too–especially if they operate in countries known for abetting hostile state actors
- Know where your third-party vendors’ employees are located, Determine your comfort level working with vendors employing staff and contractors in countries where hostile state actors are employed and/or are known for supporting, tolerating or ignoring cyber criminal activity. Understand the severe potential security, compliance and financial risks this might entail.
Just as with HIPAA in the US where companies should only work with third-party vendors willing to stand behind their HIPAA compliance by providing a validation of their HIPAA compliance from one of the major consulting firms or a recognized legal authority and putting it in writing with a Business Associate Agreement (BAA), almost the same can be said for those businesses progressing towards their GDPR compliance before it takes effect next May.
Since companies are responsible for the conduct of their third-party vendors, they need to partner with vendors that will enforce all of the appropriate policies, procedures, monitoring and governance necessary to meet the rigorous EU General Data Protection Regulation requirements. Because in the end, it’s in a company’s best interests not to become another Equifax or one of the more than 50 percent of companies affected by the GDPR that Gartner predicts will not be in full compliance by the end of 2018–and be on the hook for potential penalties as high as 20 million euros.
Do you want to to learn about other tough security, compliance and reliability questions to ask your service provider? Download the white paper, What Providers Won’t Talk About: Compliance, Security and Reliability.