Unleashing the Power of Third Party Management to Achieve GDPR Compliance
May 25th, 2018, ushered in a major overhaul of how organisations around the world can collect and process the personal data of EU citizens. The General Data Protection Regulation (GDPR) received much attention in the months leading up to its enactment. Organisations raced to get their house in order and to adapt to their new obligations as “data controllers.” Several months on, there’s still interest in learning how to make sure third party data processors, including suppliers, contractors and technology providers, are in-line with the new data protection standard.
Earlier this month, we hosted fourteen delegates from leading European and global banks and financial institutions at the Opus offices in London for a breakfast briefing on GDPR compliance and third parties. Our discussion centred on the importance of third party risk management to create processes that ensure GDPR third party requirements are met.
Key Takeaways on Third Parties and GDPR Compliance
Richard Saville, Opus’s in-house GDPR specialist, hosted the session, providing a tangible 4-step process for compliance as well as seeking to learn more about the specific day-to-day challenges GDPR poses to the organisations in attendance. Here’s what we learned.
Progress toward GDPR implementation
Organisations have come a long way in ensuring GDPR compliance across a business, yet the topic of third party compliance is still an area for action. We were pleased to hear from delegates around the table that the C-suite has a growing interest in GDPR compliance. The interest is not only due to potential fines under GDPR, but also because of the growing threat of reputational harm from a data breach.
Compliance with GDPR Articles 28, 29 & 30
The most important factor for third party GDPR compliance is adhering to Articles 28, 29 & 30, which outline the requirements for businesses working with third parties. GDPR sets much higher expectations for third party relationships. It’s easy when reviewing regulatory compliance to implement time-consuming practices that take businesses attention away from primary objectives, like improving your competitive advantage, enhancing market differentiation and serving your customers.
We considered how effective third party risk management not only brings about compliance, but also supports a business by improving workflows and enabling suppliers to truly unleash the potential of an efficient supply chain. With the right processes in place, companies can make sure third parties are able to complete the operations they are expected to fulfill by focusing on third-party performance and effectiveness.
The importance of segmentation
Part of the 4-step process for GDPR compliance presented by Richard Saville included segmentation of risk. Segmentation involves initial screening, due diligence and risk ranking to sort third parties according to their risk level and to exclude third parties that present no data privacy risk. Attendees considered segmentation a crucial way to focus their attention on the most important areas of risk management.
Our discussion keyed in on the need for a risk register as an initial step, and then the need for inherent risk scores and the required controls to determine residual risk. The entire 4-step process presented at the event is available in this handy infographic.
We always enjoy discussions that get to the heart of what compliance means for companies. If you were unable to join us at this briefing, keep an eye out for future events! Our next breakfast briefing will be held in Johannesburg, South Africa on November 7th, 2018. Visit the Opus website to see a full list of where you can find our team next.