GDPR and Vendor Management
Many organisations are currently struggling with vendor management under the GDPR. One thing is clear: A more detailed and continued scrutiny of your vendors is now required from a data protection perspective.
Some of the key activities that organisations must now conduct with their vendors include:
- Appropriate technical and organizational measures to protect data according to its sensitivity must be communicated during initial engagement with vendors (such as requests for proposal);
- Data controllers must create screening questions for potential vendors/data processors to assess their capacity for supporting GDPR compliance;
- Data controllers need to implement contractual language imposing GDPR requirements in all contracts; and,
- Data protection by design and by default must be required from vendors to build in appropriate technical and organisational measures designed to implement data protection principles.
It is worth noting that Articles 30, 32, and 35 apply even when using a vendor! This means that Records of Processing, Security of Processing, and DPIA must be conducted and maintained by your vendor, in addition to your own organisation.
Contractual Requirements for Data Processing
Vendor contracts need to be much more detailed than ever before. The requirements of Article 28 must be implemented via contract by the data controller to implement its many requirements,. This will include:
- Processing takes place in accordance only with the instructions of the data controller
- Confidentiality agreements on personnel
- Measures to secure personal data
- Written consent of data controllers for sub-processors
- Implementing mechanisms to support controller’s obligations for individuals’ rights
- Assisting controller in obtaining approvals where required
- Data processor must inform controller if instructions (which must be documented) are in conflict with the GDPR
- Support controller with all documentation necessary to demonstrate GDPR compliance
One of the key issues with vendors is maintaining accountability in international transfers. Take, for example, CRM software. Though the data contained within the software is mainly contact info, the sales force also has likely inputted personal information about each contact as well. This needs to be considered. In some cases, sensitive information is easily identified (i.e. credit card info), but this is not always the case.
In an ideal world, organisations would confirm security and privacy requirements with vendors in the following manner: A contract is signed that contains all obligations up-front, including agreed upon capabilities, third party compliance, and monitoring. Instead, what often happens is that these details are only revealed late in the game, resulting in vendors being “shocked” at the depth of the privacy responsibilities, and often with internal stakeholders, a perception that privacy management is “getting in the way” of progress.
The question becomes: How do we deal with the challenges at the transactional and governance level to demonstrate compliance with the GDPR in vendor relationships? Vendors are brought in to at a project level, hired to perform a task while managing the data in compliance with privacy requirements. These issues highlight a fundamental internal process requirement to enunciate those requirements: PIA/DPIA, and PbD/DPbD.
Nymity Solutions for Evidence-Based Vendor Documentation
There are two basic aspects of demonstrating compliance in vendor interactions:
1) Ongoing governance over:
- Vendor management within the data controller
- Monitoring the vendor/data processor
NYMITY SOLUTION: Attestor™
2) Ensuring appropriate review of each initiative, project or activity for which a vendor is being retained
- Privacy Impact Assessment/Data Protection Impact Assessment
- Data mapping and inventory
NYMITY SOLUTION: ExpertPIA™ and ExpertMapping™
Attestor provides a customized view of how operations are complying with the privacy program. This provides an overview of vendor management activities across the organisation, and from each of your business units. Users are provided with a scorecard to measure progress, and users can pose a set of questions to which vendors and the business units must answer, providing proof of compliance.
Nymity ExpertPIA™ and ExpertMapping™
ExpertPIA and ExpertMapping provide us with visibility on the transactional component. How do we ensure projects and vendors receive accurate review of compliance efforts? These tools direct the user to the right path to get the desired results, by serving up the correct policies and procedures to the business units, ensuring that they are managing risk appropriately. The expert system also provides data inventory and data mapping, so that users understand which vendors are handling personal data, and are able to provide Article 30 and 35 reports for vendor processing.
To learn more about how Nymity’s solutions can assist your organisation in ensuring vendor compliance with the GDPR, view our recent webinar on demand, or