Navigating GDPR and third-party risk management:
A quick guide

19th January 2018BlogAJ Thompson

Are you ready to get in touch?

Request a Call back

Gain visibility of your enterprise’s 360° cyber risk score

Although organisations know they should take their cyber security and compliance requirements seriously, one key area that often tends to get overlooked is that of their third-parties.

Organisations are facing the General Data Protection Regulation (GDPR), which came into force on the 25th May, 2018. They have become increasingly aware of the essential legal requirements imposed by GDPR and the business risks posed by cyber security breaches. Many have devoted substantial resources to identifying and eliminating internal vulnerabilities and mitigating their exposure resulting from potential cyber security incidents or non-compliance with GDPR.

Organisations have found that they must address cyber security and privacy risk management from multiple angles. This includes:
1) Investing in robust IT security systems,
2) Conducting employee security awareness training,
3) Considering the purchase of cybersecurity-related insurance policies
4) Develop a data breach response plan to ensure they can meet the 72 hours of data breach notification of GDPR.

Third-party risk assessments

An important but sometimes overlooked element of that process is third-party risk assessments or data processor risk management.

Organisations must assure regulators of third-party compliance with cyber security & privacy regulations. Share on X.

Under GDPR, when asked, organisations are legally bound to provide assurance to the regulator that these third-party service providers comply with the new regulations by having good cyber security and privacy controls in place.

As we have seen from many cyber security breaches, a company’s cyber security is only as strong as the cyber security of its GDPR third-party risk assessment service providers.

A company's cyber security is only as strong as the cyber security of its GDPR third-party risk assessment service providers. Share on X

third-party risk assessment. are your third parites putting you at risk of a cyber attack?

Mitigating cyber security and data privacy risks with third-party service providers

This article discusses some of the issues organisations should consider in seeking to mitigate their cyber security data privacy risk in connection with third-party service providers.

Take stock of existing third-party risk vendor relationships

The first step is to ensure that your organisation understands who has access to what data. Does your organisation store information in the cloud? Does your organisation use a vendor to host its website?

These days most, if not all, organisations provide some data or systems access to at least some third-party providers, whether the vendor be a payroll services provider, a business consultant, a data storage provider, a printing services provider, a payment processor, a lawyer, an IT support provider or even the company providing facilities management for your building.

This is a requirement of any third-party risk management assurance program. As well as understanding who these providers are and what information you exchange with them, whether it has been classified as personal data or not, under GDPR, you also need to be clear on who is the data controller or processor in each relationship. This will help you understand which part of the GDPR needs to be complied with.

Under GDPR, you also need to be clear on who is the data controller or processor in each relationship. Share on X

Under GDPR, you also need to be clear on who is the data controller or processor in each relationship. Share on X

peole in supply chain third party discussing cyber security risks

Limit access and segregate data for third-party suppliers

Although sharing some data or systems with outside service providers may be necessary, such access should be on a need-to-know basis to meet the data minimisation principle within GDPR.

There have been many, but the well-publicised and very costly credit card data breach experienced by Target Inc started with the theft of credentials granted to the company that managed Target’s Air conditioning, Fazio Mechanical Services.

The attackers infected the vendor with general-purpose malware through an email phishing campaign.

While many lessons can be gleaned from Target’s misfortune, one of the most obvious is that compromising an air conditioning vendor’s credentials should never have led to compromising a company’s payment system data. This could have been easily mitigated by segregating the Air conditioning network from the company’s payment card systems network. Fazio Mechanical Services could have helped reduce its risk of phishing attacks by running regular cyber security awareness training for its staff. To become GDPR compliant, you will have to run regular security awareness training for your staff.

Review existing contracts

A written contract will be a crucial foundation for a relationship with third-party service providers. If it has not already done so, your organisation should review existing vendor contracts with an eye towards mitigating cyber security risks.

Under GDPR, Data processor activities must be governed by a binding contract about the controller.

Several contractual protections might help to manage such risk:

Contracts can include provisions requiring providers to comply with specified cybersecurity procedures and technical controls. It would also help if they were built around a recognised security framework like NIST, BS 27001 or CIS top 20 security controls.

Under GDPR, processors, like controllers, must implement appropriate security measures. What is right is assessed in terms of various factors, including the sensitivity of the data, the risks to individuals associated with any security breach, state of the art, the costs of implementation and the nature of the processing.

Regular testing of the effectiveness of any security measures is also required.

  1. Consider requiring the vendor to make representations or warranties regarding its cyber security practices or authorising your organisation to conduct audits regarding the vendor’s ability to meet and sustain your security expectations. Under GDPR, you must have a right-to-audit clause within your processor contracts.
  2. Require that the service provider implements timely notification of any security incidents that it experiences. Under GDPR, your processors must notify their relevant controller of any breach without delay after becoming aware of it. Such a provision might also define your organisation’s rights to control any responses or disclosures to third-parties in the event of an incident.
  3. Control with good security controls and limit downstream transfers of your data, specifically personal data, under GDPR.
  4. Require the vendor to destroy copies of your data as you specify on the termination of the relationship.
  5. Consider how to allocate liability through indemnification provisions or limitations on liability based on the nature of the relationship, the sensitivity of the data involved and the GDPR requirements.
  6. Consider requiring the service provider to maintain cybersecurity-related insurance coverage. It would be best to consider whether and to what extent data breaches stemming from third-party service providers fall within your insurance coverage. You should consider combined public liability and cyber-security insurance coverage for the best possible range.

Develop a third-party cyber risk and GDPR compliance assurance program

After reviewing existing contracts for these requirements, an organisation should consider whether such agreements can and should be renegotiated. It’s very likely they will, as most contracts I see daily do not meet the requirements of GDPR. Additionally, the organisation should develop cyber security data protection guidelines for future agreements.

Once these revised contracts have been renegotiated and put in place, organisations should implement a Continuous Compliance Monitoring program that allows them to monitor their third-party service providers’ cyber risk and GDPR compliance on demand.

This program should also be able to monitor both third-party risk and fourth-party and fifth-party risk across your ecosystem of service providers and partners.

One thread that runs through the GDPR is the requirement to demonstrate compliance.

So, in case of a data breach or audit by the regulator, you will be required to demonstrate reasonable third-party assurance. This can be easily achieved with an ongoing Continuous Compliance Monitoring program.

The fact that Target’s breach originated from a third-party service provider did not prevent Target from incurring enormous losses in the form of litigation expenses and loss of customer confidence, among other things.

For that reason, the primary goal is to prevent an incident. If, however, an incident does occur, the robustness of an organisation’s procedures and practices about third-party service providers could help to limit its liability in subsequent litigation, which could include a shareholder suit against directors and officers, a customer or employee data privacy suit, or regulatory scrutiny.

Indeed, regulators have begun to scrutinise third-party relationships in the context of cyber security and GDPR legislation.

Third parties are not limited to outsourcers alone. They can also be your suppliers. For example, a significant global organisation with a massive supply chain could have thousands of supplier relationships with digital entities that put your organisation at risk of a security breach or hefty fines because of non-compliance.

Find out more about how Northdoor can help your Continuous Compliance Monitoring program. Claim your free RiskXchange third-party risk management account by signing up below:

Our Awards & Accreditations