GDPR & Third-Party Risk: From Compliance Pain To Commercial Gain

Posted: Nov 24, 2017
Simon Brownbill

The EU General Data Protection Regulation (GDPR) replaces the current Data Protection Act and was designed to harmonise data privacy laws across Europe, to protect and empower EU citizens data privacy and to reshape the way organisations approach the privacy and use of Personally Identifiable Information (PII).

GDPR represents a huge change (and opportunity) for all businesses. Whilst specifics around rules and implementation remain unclear, three things are certain: -

  • You need to be ready by May 25th 2018 
  • Regardless of Brexit, everybody must comply 
  • Fines are much higher; up to €20m or 4% of global revenue, whichever is greater

Recent studies show that many businesses are not ready for this transition BUT it’s not all doom and gloom….

GDPR will encourage us to build more meaningful relationships with clients and prospects. Gone are the days of spamming, cold calling and irrelevant email communications. Instead, there will be more relevant content, more engaged customers and an increased focus on security and privacy of all our personal data.

So how can we make sure GDPR is a Win-Win for Data Controllers and Data Subjects alike?

ICO has issued a briefing document on the “12 Steps to Take Now” in preparing for GDPR. This is a good basis from which to build your compliance. Here are a couple of other starting points for you to consider:

Clearly define the roles and responsibilities for GDPR compliance.
Whether it’s a working group or designated Data Protection Officer, identify some experts then train and support them.

Scope and document all the data and storage platforms you possess.
Create a data register and record all the internal and external processes, policies and platforms that support it.

Review and define clear policies, workflows and actions.
For example, in the event of an internal breach, external security incident, a complaint or request for access who is responsible for doing what?

Collate and review all your contracts with Third Party suppliers.
Do they include the right to audit? Do they directly reference compliance with GDPR or any other regulatory requirements? How well do they cover GDPR-compliant data processing and data security controls?

Remember, GDPR also applies to employee PII data. It’s just as important to ensure internal and outsourced functions and processes surrounding employee data are managed with the same level of due diligence.

Likewise, departments such as HR and Finance need to be given a seat at the table when planning your GDPR compliance strategy and deployment.

Turning Compliance Pain into Commercial Gain
Regulatory compliance can be seen as an onerous, box-ticking exercise. However, this time and effort can be used wisely to refresh your approach to the acquisition, usage and storage of data and turn it into a competitive advantage.

For all changes that come with GDPR, there is a valid commercial opportunity to improve your data governance, operational efficiency and sales and marketing efforts.

What now?

Address the highest risks to the business if left unchecked.

How long will each action will take to complete? Reviewing and renegotiating contracts can be a lengthy process and auditing and assessing supplier security controls doesn’t happen overnight.

It is better to be over prepared than under prepared!

This is where our client DVV Solutions can help you in the transition to complete GDPR compliance of your Third Party data processors. DVV Solutions has become one of the UK’s leading providers in the design, implementation and management of Third Party Risk Management (TPRM) and IT Security Assurance services.

To see the latest guidelines DVV Solutions have put together on GDPR and Third Party Risk, click here or you can contact them directly on 0161 476 8700