[GDPR Step 09] How to Conduct Vendor Risk Assessments

The General Data Protection Regulation (GDPR), introduced by the European Union, took effect on May 25, 2018. With the introduction of GDPR, organizations not only have to monitor their own processes, but also ensure that their vendors successfully protect the personal data of subjects such as customers, employees, and prospects.

We recently hosted an on-demand webinar, Practical Steps to GDPR Compliance, that focuses on a comprehensive 16-step plan to operationalize a data governance program that supports GDPR compliance.

Conducting vendor risk assessment is Step 9 in this plan. To know more about the first eight steps, check out the links in the sidebar!

GDPR’s Perspective on Vendor Risk

Vendor risk assessment is a subset of data protection impact assessment. While most organizations perform an exhaustive assessment of their internal processes and systems, they tend to ignore third parties such as suppliers and service providers.

Managing vendor risk is challenging since it is not under the direct control of organizations. However, the GDPR clearly mandates that both controllers (entity that determines the purposes and means of processing of personal data) and processors (entity which processes personal data on behalf of a controller) come under its purview.

Article 28.1 of the GDPR deals with the obligations of a third-party processor of information. The article states that where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures to meet the requirements of the GDPR.

Article 28.2 further states that the processor shall not engage another processor without prior specific or general written authorization of the controller.

If a vendor breaches the privacy of personal data, organizations can be exposed to huge fines of €20M or four percent of their revenues, whichever is higher. Hence, an exhaustive vendor risk assessment is critical for GDPR compliance.

How to Perform a Vendor Risk Assessment

Data governance must ensure that legal and compliance teams sign off on vendor risk assessments prior to sharing any personal data with vendors. However, doing this assessment is not straightforward. Just sending out a survey form with a list of checkboxes would not suffice.

A typical vendor risk assessment comprises the following steps:

  1. Identify vendors — Many organizations do not have a master list of vendors. Given the number of third-party apps that are used today, it is necessary to, first, make a comprehensive list of vendors in a system.
  2. Evaluate contracts — Legal and compliance teams need to look at existing contracts and evaluate how to modify them so that vendors are forced to be compliant with the GDPR. Contract templates need to be drafted to make this process faster.
  3. Identify vendors’ vendors — Vendors cannot outsource personal data without the organization’s knowledge. If the vendor shares any personal data with downstream processors, legal and compliance need to sign off on vendor risk assessments with the downstream processors as well.
  4. Prepare readiness check questionnaires — Questionnaires help understand how vendors perceive their readiness. Often, the responses provide insight into whether data is at risk or not.
  5. Perform on-site audits — Conducting on-site audits help determine whether the responses to questionnaires are aligned with the ground reality. These audits can be scheduled at regular intervals to assure continued preparedness.
  6. Decide go-no-go — At the end of an assessment, if the data governance team suspects potential risk, it needs to evaluate whether the vendor’s action plan to be GDPR compliant is strong enough to continue the engagement.

Using Talend for Vendor Risk Assessments

Vendor risk assessments are time-consuming, so manual processes cannot work in the long run. Using technology not only expedites the process, but also provides conclusive metrics for analysis. Also, the outcomes of the assessment can be integrated as solutions into systems.

Talend technologies can support a vendor risk assessment in situations where data is collected from or shared with vendors. Talend tools go beyond the assessment phase to automatically enforce GDPR controls relating to the exchange of data on a day-to-day basis. Talend Data Quality can embed controls within a data integration flow while Talend Data Stewardship can transfer accountability for data stewardship to the vendor.

Next Steps to Vendor Risk Assessment

Vendor risk assessment is not a one-time activity. Governance needs to demonstrate continued investment into the process and update resources, documents, and systems according to new findings. Also, organizations need to stop working in silos and communicate better with their vendors.

The next step of Talend’s comprehensive 16-step plan to achieve GDPR compliance is improving data quality.

← Step 8  |  Step 10 →

Ready to get started with Talend?