GDPR requires every firm to classify, review and enhance controls around its third parties (ref: GDPR Chapter 4)
As the GDPR go-live date of 25th May 2018 looms, every CFO and their colleagues responsible for both risk management and third parties should be aware of the importance of third-party relationships. Articles within the GDPR set out the fundamental requirements for ‘Data Controllers’ – about the nature of external contracts, the ongoing relationships with third-party ‘Data Processors’ and governing and managing those relationships effectively. Compliance around personal data is currently ‘centre stage’, but GDPR provides an opportunity for a firm to improve the way in which its relationships with all third parties are managed and controlled, to derive wider value and business improvement.
The impact on business reputation from effective third-party management
Most business sectors rely upon a complex network of interrelationships and interconnected processing – the so-called ‘extended enterprise’, or ‘business ecosystem’. Within such models, trust becomes a key issue. Dealing with an external partner or supplier means there is an implicit exchange of trust, and in doing so, you commit to trust the other party with your own, valued, business reputation. Any firm can transfer some responsibility to handle, protect and process personal data correctly, in line with an agreement between the parties. But it cannot transfer the accountability. This is recognised within GDPR, and also the impending, new UK Data Protection Bill.
That some unfortunate incident will arise somewhere within the web of business relationships around your own firm is increasingly probable. Through GDPR, the general public is becoming more informed and increasingly concerned about privacy. Anyone potentially impacted by any incident involving personal data, plus also the wider ‘court of public opinion’, will seek answers to fundamental questions, e.g. should the firm have considered the possibility of such an issue arising? Could the firm have done more to mitigate the issue? This becomes more complex when third parties are involved in the business value chain.
The Information Commissioner’s Office (ICO), who may suddenly be alerted to your existence, would start any enquiries with such fundamental questions. If you struggled to meet the ICO’s expectations about senior management being accountable for understanding, and being assured about how personal data is processed and managed, including by any appointed third parties, doubtless you would be on the back foot.
As any breach involving personal data manifests, unfolds and becomes public, it is highly probable that your business reputation will be impacted in some way. Typically, significant management time will then be required to attempt to rebuild that reputation, with consequent impact on the bottom line.
Organising and prioritising GDPR work on third parties
Driven by GDPR, your corporate inbox may reflect letters from various third-party suppliers, often including proposed changes to contractual terms. A piecemeal approach to responding is unlikely to be sensible or efficient. As a minimum, the CFO, or fellow responsible executive, should lay down three very straightforward challenges:
|1. Do we have an up-to-date inventory of all contracts and agreements with our third parties?
2. Do we have a process to classify our third parties, from a personal data processing and GDPR perspective?
3. Have we determined how much management effort will be required to manage and/or remediate the position, and what should we prioritise?
The challenge is usually far larger than initially expected, i.e. there may be third-party relationships managed disparately across the firm, some with no formal contract; little understanding about how you might classify those relationships for data protection purposes; or an over ambitious estimate of the effort required to become compliant.
Identifying ‘processors’ and compliant contractual terms
The classification of each third-party relationship is vitally important. Fundamentally, not all a firm’s ‘third parties’ are Data Processors from a data protection perspective. For those relationships that involve personal data, many may actually be ‘controller to controller’. A few others may be in the ‘joint controller’ category.
Only the balance will be ‘controller to processor’, which then invoke the specific GDPR requirements on the management of, and assurance around, Data Processors. The ICO website provides useful guidance on the characteristics of the relationship to help determine this classification.
Although you should ideally be proactive in doing your own inventory and classification work, third parties writing to you should make it clear how they classify their relationship with you. You must verify this carefully. Some considerations here include: which party collects what type of personal data, according to what lawful basis; and which party(ies) is (/are) determining the purpose and how the personal data gets processed. Further detailed analysis is required in each specific case.
If you identify another party as a ‘processor’ of personal data, it is a key priority to ensure that a suitable, compliant contract exists. The predecessor to GDPR, the DPA 1998, set out two minimum contractual provisions i.e. re a processor acting on the controller’s instructions; and provisions to be in place to implement security over personal data.
For GDPR, the ICO website includes guidance on a further six key provisions that now need to be reflected in contracts with third-party processors. This complex area has not been understood or applied well in practice, so this guidance is helpful.
Ongoing responsibilities regarding privacy, oversight & assessment
A working definition of third-party risk management is ‘the implementation of policies, strategies and processes to identify, assess, manage, and control risks presented by external third parties throughout the life cycle of relationships’, i.e. certainly not a one off compliance exercise for GDPR, but an ongoing responsibility and an imperative for effective management, both of commercial outcomes and business reputation.
Crowe’s view is that there components are required for an effective third-party risk management approach that incorporates privacy risks. A comprehensive understanding of how personal data is handled across all business functions is a pre-requisite.
- Third-party privacy management approach
The firm’s privacy policies and notices should have been reviewed and be compliant for GDPR. But the privacy management approach should include a process to manage privacy risks across the supplier lifecycle. It should include: a classification of third parties, by third-party type and business risk; an appropriate privacy impact assessment if required; the standard and execution of privacy due diligence; the requirement for periodic assurance on privacy elements; and privacy-aligned contractual clauses to be incorporated.
For high-priority third parties, you need to be clear on how the control framework at the third party operates, including how they would respond to any incident involving personal data.
- Third-party oversight and control framework
Firms benefit from implementing a holistic oversight and control framework around their third parties. Taking privacy as just one of the components, this framework should incorporate all aspects required to manage third parties, including all required policies and standards. It should also include a formal reporting process, covering issues to be managed and escalated.
Definition of expected minimum standards for third parties is key, e.g. IT processing – ongoing ISO 27001 certification; core business processing – ongoing evidence through SOC reports; and payment processing – ongoing PCI-DSS compliance. Clearly, the specific standards and required controls will vary by type of third party. The involvement of the Finance function in monitoring key control standards can be essential.
- An ongoing third-party assessment programme
An effective management and governance approach for third parties requires a tiered assessment programme, using a risk-based, ‘triage’ concept for the nature and frequency of that assessment. The programme should reflect how those reviews and visits get executed e.g. questionnaire, third-party site visit etc.
When it’s done right, it’s never done
Effective management of third parties is complex. It has become a ‘core competence’ in many firms, and a competitive differentiator between firms. A holistic approach means delivering ongoing assurance around third parties, within a structured and risk-based framework. Getting it right can bring commercial returns, but can also help to protect the firm’s reputation – including where events or incidents arise.
GDPR brings new energy, which, although just focused on the personal data management imperative, can be helpful in highlighting that third-party risks have typically not been well managed to date. GDPR brings an ongoing responsibility for compliance, but also for firms to continue to implement effective governance, control and accountability over their network of third-party relationships.
Crowe Horwath LLP is a member of the Crowe Horwath International (CHI) network of accounting, tax, risk and performance management firms. Crowe has years of experience implementing regulatory and compliance changes and helping firms refine their approach to risk management. Justin Baxter is a Partner in the London office and together with Neil Adams, and Neil Mockett, they are leading the development with clients of practical and pragmatic approaches to the challenges presented by GDPR and third-party risk management.