Implementing the EU General Data Protection Regulation (GDPR) is a significant challenge for most enterprises because it requires many to completely change their perception of personal data security. The regulation, in effect since May 2018, covers personal data protection in multiple areas, including processing personal data.
During interviews of representatives from dozens of enterprises that use third-party services, the representatives appeared to downplay the importance of protecting the personal data that their vendors access.1 During enlightening discussions that followed, these representatives became aware of the key data protection issues and risk factors that are related to third-party services.2 A deeper knowledge of enterprise third-party providers and a successful implementation of proper monitoring mechanisms, including risk profiles, auditing and compliance checks, can significantly raise the overall security of enterprise business activities and ensure compliance with personal data regulations, including GDPR.
Enterprises can use the questionnaire in figure 1 to determine their level of knowledge about their third-party service providers.
If all answers are yes, the enterprise can turn its attention to other matters. However, any no or do-not-know answers signal a need to investigate GDPR regulations pertinent to outsourcing personal data processing and to plan any resulting actions within the year.
Data Processor—Meet the Provider
According to Article 4 of GDPR:
- “[C]ontroller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
- “[P]rocessor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.3
The controller decides why and how personal data should be processed and then, either in its own capacity or with the help of a processor (third party),4 attempts to achieve these goals. Using a third party always carries a certain risk that needs to be properly assessed with a risk profile. This assessment allows an enterprise to determine whether using third-party services brings in sufficient business benefits to offset the related risk that the enterprise deems acceptable.
Preferably, risk profiles are created while third parties are being evaluated for potential services, but profiles can be created and risk can be evaluated for existing service providers. The enterprise should look at its third parties through a wider lens than purely prospective data processors to get a broader perspective and allow the enterprise to better manage the personal data that third-party providers can access.
The following procedure provides an enterprise with comprehensive knowledge about its service providers.
Step 1: Compile a List of All Enterprise Service Providers
If an enterprise works with dozens or hundreds of third-party providers, compiling a thorough list may be challenging. An enterprise should have thorough knowledge about all its third-party providers, in all areas of its operation, including smaller providers and those that provide services or goods of lesser monetary value or to a narrow business niche. This information should be kept in a single database.
Step 2: Compile a List of Services Rendered by All Third Parties
This list should include every service that the enterprise receives from third parties. Each service is assigned a significance rating, which indicates the importance of the service to the enterprise business. Using a finite numerical scale or a set of quality descriptors for this rating is recommended. Rating the business importance of services allows for more precise risk profiles. The rating of the services depends on the requirements defined in the organization and their significance for the enterprise. Following is an example list of services:
- Accounting services
- Legal services
- IT systems services
- Human resources support services
- Office cleaning services
- Application hosting services
- Data processing services
- Big data analytics
- Physical security and building access control
One may wonder why mundane services such as office cleaning are included in the list. Cleaning staff have access to the entire office space. Unless a clean desk policy is strictly implemented, office cleaning staff has daily contact with documents and sticky notes left in enterprise employees’ workspaces. Knowing who performs this service for the enterprise is the first step in limiting the risk of a potential data leak.
Step 3: Link Each Service With Its Provider
The links allow an enterprise to identify the providers that require special attention (e.g., those that process enterprise data, including personal data, or host enterprise IT systems). A provider may provide multiple services. Sometimes, the linking process reveals that some vendors do not have assigned services or some services do not have assigned vendors. If this is the case, the enterprise should answer the following questions and resolve any issues:
- Is the vendor list complete?
- Is the services list complete?
- Why does the enterprise need a vendor that is not delivering a value (no services assigned)?
Step 4: Create a Risk Profile for Each Provider
The enterprise assesses each third party with regard to two aspects:
- Aspect 1—Risk linked to the potential of the third party as a result of it running its day-to-day business activity.
- Aspect 2—Risk linked to the services rendered to the enterprise by the third party.
A risk-profile questionnaire aids the process. The questionnaire includes:
- Questions about each risk area (aspect)—Each question asks about a specific criterion that determines the risk level. Each organization should develop its own set of decision factors that will be taken into account during the evaluation process. It is recommended to consider the scope of business activities and the organization’s risk appetite.
- A significance level (weighting) assigned to each criterion
- A risk level assigned to each answer to a question—The risk level depends on the degree to which a given criterion is met.
Following are sample questions about aspect 1, the significance level for each question (criterion) and the risk levels for each answer:
- How many employees does the third party have? The significance is moderate.
- Less than 10—Risk is high
- From 10 to 100—Risk is moderate
- More than 100—Risk is low
- Is the enterprise IT service provider International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) standard ISO/IEC 27001 Information Security Management certified? The significance is high.
- Yes—Risk is low
- No—Risk is high
Following are sample questions about aspect 2, the significance level for each question (criterion) and the risk levels for each answer:
- Is the third party responsible for data processing? The significance is high.
- Yes—Risk is high
- No—Risk is low
- Does the enterprise have a signed confidentiality agreement with the third party? The significance is high.
- Yes—Risk is low
- No—Risk is high
- Does the third party have any history of past incidents related to the security of personal data processing? The significance is high.
- Yes—Risk is high
- No—Risk is low
- Do not know—Risk is moderate
This approach enables the enterprise to assess every provider with identical criteria and determine a normalized risk assessment for each.
With a risk profile for every third party, the enterprise can generate an aggregated data sheet and learn the distribution of risk profiles for all providers (figure 2). The data sheet helps the enterprise determine priorities and action plans for each provider, depending on their risk profiles. Figure 2 shows an example compilation for selected providers and recommended actions. Each data point represents a provider.
It is important to understand that a created risk profile for enterprise providers may change over time. This is not a one-time activity. This is a continuous process that should be repeated annually (at least).
Auditing and Compliance Verification— Benefits After Implementation
Based on risk profiles and recommendations for each third party, the enterprise can plan further actions to ensure data security and compliance with regulatory requirements that are imposed on the organization by regulators. Some actions, such as auditing service providers, can be taken if the relevant provisions are in the contract with the third party. Considering GDPR requirements, it is important to ensure that at least contracts with key providers for vital service types or risk levels are updated with pertinent clauses.
If it is impossible to ensure periodic auditing of the provider through contractual means, the enterprise should obtain a guarantee of the right to regular remote monitoring of the quality of the service provided (e.g., through questionnaires). These forms can be prepared well in advance, either as spreadsheets or a dedicated online polling system.
Acquiring information about providers and their services brings significant benefits to daily enterprise business activity. Most importantly, the enterprise is able to prove to any inspector that it is doing due diligence to minimize data-leak-related risk.
Knowing the enterprise providers and their risk profiles is also of invaluable assistance while making any business decision that relates to any aspect of data security. The added value comes from information gathered from regular monitoring of enterprise third-party GDPR compliance and the ability to follow third-party performance over time. Monitoring the changes in third-party risk profiles allows an enterprise to make decisions influenced by the observed trends, e.g., selecting the provider with the least risk. For example, when starting a new marketing campaign, an enterprise selects a marketing agency with a low risk profile to process new-client data.
Furthermore, compliance questionnaires help to forewarn enterprises about providers with less-than-stellar risk profiles, allowing enterprises to implement corrective measures. The compliance procedure determines, for example, whether a third-party data processor implemented data encryption in all employees’ machines. This is important information because if one of its employees loses a third-party laptop that contains personal data from the enterprise data set and the personal data are stolen and leaked, the enterprise, as the data administrator (controller), is accountable for the personal information that is made public and legally responsible for infringement on the rights of the people whose personal data are stolen. A timely risk assessment reveals threats and points of failure, allowing the enterprise and a third party to work together on ground rules concerning security and avoid not only serious financial consequences, but also severe damage to the enterprise image.
A deeper knowledge of enterprise third-party providers and successfully implementing proper monitoring mechanisms (e.g., risk profiles, auditing, compliance checks) significantly raises the overall security of enterprise business activities and helps to ensure compliance with personal-data regulations, including GDPR.
Endnotes
1 From interviews and discussions that the author conducted during GRC projects realization (2013-2019) and as a part of Global Access Program, under the auspices of the University of California, Los Angeles (UCLA), California, USA, July-December 2015
2 Ibid.
3 GDPR, “Art. 4: Controller and Processor,” Intersoft Consulting, http://gdpr-info.eu/chapter-4/
4 In this article, the terms provider, business partner, contractor, third party, processor and vendor are used interchangeably and have the same meaning.
Jan Anisimowicz, CRISC, CISM, PMP
Is a governance, risk management and compliance (GRC) expert and lecturer at domestic and international GRC conferences on business intelligence, big data and EU General Data Protection Regulation topics. He is a staunch advocate of regulatory-technology and financial-technology approaches. Anisimowicz can be reached at jan.anisimowicz@candf.com.