Preparing for GDPR: Are Companies Overlooking Third-Party Risk?
This past summer, British pub and hotel chain J.D. Wetherspoon shocked the marketing world by deleting its entire customer email database. Two years after the company’s data was breached, affecting more than 650,000 customers, a spokesperson for Wetherspoon explained that the company “felt, on balance, that we would rather not hold even email addresses for customers. The less customer information we have, which now is almost none, then the less risk associated with data.”
Wetherspoon’s drastic measure is proof that the management of personal customer data has become an albatross for many organizations across the world – as the ability to collect data increases so, too, do questions around customer privacy and data usage. In response to these issues, the European Union is just months away from officially implementing its General Data Protection Regulation (GDPR), the “most important change in data privacy regulation in 20 years.”
In May, the GDPR will replace the 1995 Data Protection Directive, changing the way businesses and organizations that operate in the EU deal with data privacy and creating more modern standards that better protect EU citizens. Key changes in this new regulation relate to territorial scope, penalties, conditions for consent to data usage, and data subject rights, such as breach notification and the appointment of data protection officers (DPOs) to oversee controllers and processors.
Consent is key, and under the GDPR, there will be just five instances in which processing personal data without explicit consent is lawful:
- The personal data is necessary for the performance of a contract. In this instance, consent is given upon entering into a contract.
- There is a legal obligation to process the data.
- Processing the data will protect the vital interests of the data subject or someone else.
- Processing the data is necessary to the public’s interest.
- The data needs to be processed for what is considered legitimate purposes, for instance in the framework of anti-money laundering.
The GDPR will apply to not only EU organizations, but any entity that monitors the behavior of EU citizens or provides them goods and services. Leading up to official implementation, the EU has been going through a two-year transition period to help businesses update their processes and policies to be in compliance with the GDPR.
The Missing Link to Preparing for the GDPR
Earlier this year, Opus conducted a survey in an effort to estimate the readiness of organizations for GDPR compliance. The results were positive in terms of companies’ familiarity with their internal efforts to prepare for GDPR, but some results were somewhat concerning.
While many respondents felt confident that they are prepared in a number of areas, only 15% said they have completed a comprehensive information audit that could point to how data flows through an organization, the types of personal data a company holds, where it is stored, and who has access to it. If you don’t know what your risks are, how can you say that you are prepared to address them?
A lot of companies have a good handle on their internal information security, but as that information gets downloaded or extracted into spreadsheets and ad hoc systems, it’s hard to track what projects are underway in a big organization. From our survey, less than half of respondents felt confident that they had identified all third parties with access to personal data held by their organization. In the past, companies have been more open with their practices, but that will backfire under the GDPR if companies aren’t careful.
How Companies Can Better Manage Third-Party Information Security Risk Under GDPR
When preparing for the GDPR, companies must consider their third-party risk, particularly regarding their exposure to a data breach. In the Opus-sponsored study on third-party data risk conducted by the Ponemon Institute, we found that data breaches caused by third parties are on the rise, with 56% of respondents saying they have experienced a data breach as a result of sharing sensitive information with a third party. Assessing and mitigating this risk requires a technology-driven approach.
In preparing for the GDPR and assessing our compliance status at Opus, we started looking at the requirements of the GDPR from our own technology stack perspective. It became clear that there was an opportunity to provide clients with a tool that would enable them to conduct their own third party assessments. Using the regulation as the control framework, we used the self assessment questions from the Information Commissioner’s Office to create a questionnaire for collecting evidence of compliance from suppliers and vendors.
This questionnaire is presented in a format that requires no detailed knowledge of the regulation in order to provide responses that will enable an assessor to determine compliance. The questionnaire provides guidance as to why the questions are important but the respondent requires no legal understanding of the regulation in order to do his or her job.
There are also simple best practices that you can adhere to and help ensure compliance for data protection:
- Do a complete audit of what information your company is holding and who has access to it.
- Ensure that the information is only available to the people who need it.
- Only collect the data you need and shut down data that isn’t relevant.
- Keep data on your systems only for as long as necessary.
- Always ensure that you have received explicit consent to use the data.
As the EU inches closer to GDPR implementation, many organizations are concerned about the large fines associated with non-compliance (up to 4 percent of annual global turnover or €20 million). But those organizations are missing the point: GDPR is good for customers, making it ultimately good for business. At the end of the day, the new GDPR regulations all come down to common sense and good data management techniques.
To learn more about Opus’ approach to helping companies with GDPR compliance, download our datasheet. Stay tuned for the full results of the Opus GDPR-preparedness study to see how your company compares.
Find this post helpful? You’re invited to a breakfast briefing on managing third party risk in-line with GDPR. Join us in London on October 10th, 2018.