In 2018, the General Data Protection Regulation (GDPR) came into effect in the European Union, leading many organizations to continuously work to adhere to the regulation. Once internal procedures have adapted to GDPR, organizations must work with third parties and providers, known in this context as data processors, to become completely GDPR-compliant. According to GDPR, and derived from the accountability principle, data controllers can only choose and use trusted data processors that are able to assure they can protect data privacy according to controllers’ requirements:
Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
Initially, most organizations approach this need by adapting the contracts signed with their providers and sending them long questionnaires with the security requirements for data protection in an effort to show due diligence to data protection authorities.
This method is very quick to implement, but has some issues:
- There are high, hidden costs derived from the administrative work needed to manage questionnaires, e.g., preparing the questionnaire, sending the questionnaire, following‑up on answers, solving reported doubts and preparing a report after receiving responses.
- The level of assurance is very low. There is no way to assure that the answer given by the vendor is true or false.
- The effort put into 1 questionnaire cannot easily be reused for other vendors.
In fact, this approach is based on just 1 method and is not enough to manage the risk of third-parties and vendors. Data controllers need a combined set of tools and mechanisms to effectively understand and manage the risk that vendors pose. Basically, data controllers must:
- Evaluate the criticality of the services they are using (because the risk depends on the service, not the vendor).
- Define the level of security for each level of criticality. (Low-risk services should implement lower levels of security than high-risk services.)
- Establish the level of assurance that vendors must demonstrate. (Again, low assurance methods could be right for low-risk services, but higher risk services should be evaluated with higher assurance methods, for example, remote or in-house audits.)
- Define the period of time between checks or for compliance.
An implementation of this kind of process allows organizations not only to know if data controllers are meeting the organization’s expectations, but also to monitor adherence to their specific criteria with a risk‑based approach (as data controllers cannot audit all processors and enterprises cannot trust them just based on a questionnaire).
For this reason, vendor risk management is an essential tool for GDPR compliance. It is very difficult for data processors to show due diligence in choosing and monitoring data controllers if they have not implemented a sound vendor risk management procedure.