- About Us
- Request Demo
The European Union’s General Data Protection Regulation (GDPR), which takes effect on May 25, 2018, strengthens data privacy rights for EU citizens and gives regulatory authorities greater powers to take action against companies that breach the law.The regulation introduces some tough new penalties of fines of up to 4% of Annual Global Revenue or 20 Million Euros – whichever is higher. Just to put this in context for the Global 2000 (which have revenues between $1.6 Billion and $171.1 Billion according to Forbes), this means fines could potentially amount to between $64 Million and $6.84 Billion.
With this magnitude of enforcement potential, not to mention the reputational damage that comes from serious breaches of personal information, it is important to be ahead of this regulation.
Most companies that are impacted (that’s any entity that touches personal data on EU citizens, even if the entity did not collect that information itself) will have compliance initiatives underway. However, there’s one essential element that should not be overlooked or left until the last minute. And that’s your third party compliance.
Why Third Parties are an Important Point of Focus
The question needs to be asked – into whose hands are you placing your company’s reputation and exposure to significant financial penalty? More often than not, your third parties are your greatest area of risk exposure – for data security, and for regulatory compliance. How well do you know them?
Third parties are often the weakest link in a company’s data security, and are implicated in about 63% of all data breaches. Some of the largest financial penalties for data control failures to date, including those involving Home Depot, Target and AT&T, have been as a consequence of third party actions. These enforcements have already seen costs running into the hundreds of millions of dollars. Now, the GDPR has just raised the stakes even higher.
It’s also useful to look to other extra-territorial regulation and the trends in enforcement that have developed over time. Regulators generally tend to ‘bare their teeth’ and take prominent (often headline-grabbing) actions early. They telegraph (and even state explicitly) what their areas of focus will be. Elizabeth Denham, UK Information Commissioner, for instance, has already stated that the ICO will be looking at investigations that have the largest impact on the privacy rights of individuals, and that technology firms will be in the cross-hairs.
If you look to other regulation, such as the FCPA, the one thing that has been consistent across its history is that the vast majority of enforcements – around 93% – have been due to third party actions. Regulators often focus on the weakest link of compliance as this is where risk exposure is greatest, and more often than not this has turned out to be third parties.
And finally, despite its elevated risk, third party compliance is too often overlooked or even placed in the ‘too-hard’ basket. With a focus on compliance within the figurative ‘four-walls’ of an enterprise, companies are failing to properly consider the impact of their ‘extended-enterprise’. But, under the GDPR and other regulation, not only do you need to keep your own house in order – you need to be confident in compliance of your third parties’ houses as well.
When it’s potentially many millions to billions of dollars of enforcement fines that your third parties could be exposing you to, it pays to have robust programs in place.
Key Roles and Definitions in the GDPR
The GDPR strengthens data privacy protections for EU citizens in the age of cloud computing, when personal data is collected easily by IT services and government agencies and sometimes used in ways beyond an individual’s knowledge or control. The law was passed by the EU Parliament’s Civil Liberties Committee on April 14, 2016 and takes effect on May 25, 2018, becoming the law of the land in all 29 EU Member States.
Building on earlier legislation, principally as the EU Data Privacy Directive (95/46/ec) which passed in 1995, the GDPR re-establishes an EU citizen’s right to know what personally identifiable information (PII) about them is being collected, why it is being collected, who is using it, and how. The law re-affirms EU citizens’ long-standing right to have their PII deleted (in most cases), data access rights, and establishes new rules for data portability, allowing citizens to request their data from one service provider so it can be transferred to another.
And what is PII? According to the GDPR, it is:
“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
For example, PII could be a database record with a customer’s name, address, and phone number, or it could be as simple as the IP address or MAC address of a consumer’s laptop or smartphone. It could even be a consumer’s post on a social media site about politics, religion, health status, or mood.
Why Third Parties are an Important Point of Focus
Like the EU Data Privacy Directive (95/46/ec), the GDPR defines roles for citizens and organizations working with PII:
The GDPR also defines a personal data breach, which is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” (Article 4)
How the GDPR Differs from the EU Data Privacy Directive
How is it different from the EU’s earlier data protection law, the Data Privacy Directive? Here are eleven key differences.
The GDPR is truly global. If an enterprise, regardless of where it is based, is handling the PII of EU citizens, then that enterprise is under the jurisdiction of the GDPR, even if it is outside of the EU.
What Steps should Companies be taking now to Manage Third Party Compliance with the GDPR?
Clearly, the GDPR has sweeping ramifications for any organization providing goods or services to EU citizens. But those ramifications become broader when you consider all the third parties that are essential to any Global 2000 organization’s daily operations.
Third parties, which could range from marketing agencies, to debt collection agencies, to law firms, to individual contractors such as software programmers, must also comply with the GDPR if they are involved in any way with the collection or processing of PII for employees, customers or contacts.
Global 2000 companies need to be working on their GDPR Third Party Compliance Programs now. These can take some time to understand, develop and implement and, considering the third-party risks involved, should not be an afterthought.
Here are five steps, together with some suggested timeframes, that you should be taking now:
You will need to ensure that both your organization and your third parties have the policies, processes and technologies in place to support permissioning of client, contact and employee data. The technologies need to provide auditable consent, ability to withdraw consent to use personal data, deletion of all personal data, data access rights, and data portability. Based on the purpose of collecting this information, your firm may be required to store this client information in a separate digital warehouse.
Further, if you are a controller, you should be ensuring that policies and technologies are in place to detect data breaches and to notify supervisory authorities promptly should any data breaches or other violations occur.
The EU supervisory authorities will begin enforcing the GDPR in May of 2018.
To learn about the Aravo solution for GDPR Third Party Risk Management, please contact us.