27 March 2018
Most organisations will have completed internal data-discovery exercises to identify and classify personal data. Covering the basics in this way is no bad thing, but as recent news about Facebook and Cambridge Analytica has shown, you also need to consider the more complex external perspective: how you manage data risk in your third-party relationships.
As we explained in our recent webinar with the Direct Marketing Association, understanding and mitigating third-party risk requires deep skills in compliance, data privacy and cyber security, and these are currently in very short supply. So what can you do to address your legal obligations around third-party Data Processors under the GDPR?
Traditionally, organisations would send out an annual survey to suppliers asking them to confirm various aspects of cyber security and data protection. Not only does this approach lack rigour, but also it is costly, hard to scale and too slow to drive meaningful decisions around risk management.
As a result, relatively few organisations truly understand the risk of outsourcing personal data to Data Processors. And, of course, this is not just a technical question, because it also encompasses people and processes. More importantly, any assessment of third-party Processors must also include any Sub-Processors that they work with. Ensuring compliance with the GDPR at all levels is crucial, not least because any deviation from the terms of your agreed contract with a Processor can automatically make them a Joint Data Controller under the legislation, incurring significantly more liability on both sides.
Recognising the complexity and the need for ongoing compliance, Northdoor proposes a standardised approach to managing and mitigating third-party risk, within a properly defined assurance programme.
The Northdoor approach begins with the Plan phase, in which you define third-party risk procedures and policies, and build the full list of third parties (and their partners) who process personal data on your behalf. This should include the country in which the Processor operates, because additional contract clauses will be required if they are outside the European Economic Area.
Once the list is built, the next step is the Assess phase. Here, you should develop your third-party Processor assessment questionnaire; we recommend input from experts on data privacy and cyber security at this stage, and the use of questions that will produce yes/no or checkbox responses. This questionnaire forms part of the Controller Processor Agreement (CPA), which sets out the requirements and acts as evidence in the event of an audit. The CPA should be sent to all suppliers for completion, and responses should ideally be received before the May 25th deadline.
The completed CPA documents should be scored using a recognised method, for example, NIST. Using an accredited approach like this will carry more weight if you’re later asked by the Information Commissioner’s Office (ICO) to produce evidence of your efforts to ensure compliance.
The third step is the Mitigate phase. First, you should establish your appetite for third-party Processor risk. Realistically, it may not always be possible for your suppliers to comply fully within whatever cost limits your trading relationship implies. You will need to set a minimum tolerable score level, then assess your list of suppliers in this light. For any suppliers that are found wanting, you will need to establish a joint mitigation plan. This should take no more than three months to complete, with clear milestones so that you can prove to the ICO that you are moving towards compliance.
The fourth step is the Monitor phase: GDPR compliance is an ongoing exercise – ideally, continuous. At the least, you should reassess your third-party Processors on an annual basis, and exercise your right to audit them. It’s important to bear in mind that the regulation will change over time, and to consider how this might impact the questions in your CPA. If your data-gathering process is manual, how will you manage the effort involved in adapting the questions and re-running the assessment each time?
During the Monitor phase, you should also take advantage of other sources of data. For example, rather than just accepting a partner’s assurances that they patch all IT systems, you should run cyber-risk assessments including penetration testing against them (with their consent, naturally). You should also have the capability to check social media and dark web sources to see if any of their (your!) data is on sale.
As part of monitoring ongoing compliance, you should consider developing dashboards and other user-friendly reporting capabilities, both to give senior managers a 360-degree view of third-party risk and to enable regulators to drill down into the information.
With skills in very short supply, Northdoor can offer a managed security solution that covers your requirements from data discovery right through to breach reporting, all using IBM’s industry leading products.
Northdoor framework for processor cyber risk and GDPR compliance aims to enable controllers to:
For smaller organisations with only a limited number of Processors and no known Sub-Processors, it may be possible to take a manual approach to assessing and managing risk. For everyone else, the sheer volume of work involved in gathering and interpreting data from tens, hundreds or even thousands of Processors and Sub-Processes will be prohibitive, and will make it impossible to maintain anything like a real-time view of risk.