GDPR requires every firm to classify, review and enhance controls around its third parties (ref: GDPR Chapter 4)

As the GDPR go-live date of 25^th May 2018 looms, every CFO and their colleagues responsible for both risk management and third parties should be aware of the importance of third-party relationships. Articles within the GDPR set out the fundamental requirements for ‘Data Controllers’ - about the nature of external contracts, the ongoing relationships with third-party ‘Data Processors’ and governing and managing those relationships effectively. Compliance around personal data is currently ‘centre stage’, but GDPR provides an opportunity for a firm to improve the way in which its relationships with all third parties are managed and controlled, to derive wider value and business improvement.

The impact on business reputation from effective third-party management

Most business sectors rely upon a complex network of interrelationships and interconnected processing - the so-called ‘extended enterprise’, or ‘business ecosystem’. Within such models, trust becomes a key issue. Dealing with an external partner or supplier means there is an implicit exchange of trust, and in doing so, you commit to trust the other party with your own, valued, business reputation. Any firm can transfer some responsibility to handle, protect and process personal data correctly, in line with an agreement between the parties. But it cannot transfer the accountability. This is recognised within GDPR, and also the impending, new UK Data Protection Bill.

That some unfortunate incident will arise somewhere within the web of business relationships around your own firm is increasingly probable. Through GDPR, the general public is becoming more informed and increasingly concerned about privacy. Anyone potentially impacted by any incident involving personal data, plus also the wider ‘court of public opinion’, will seek answers to fundamental questions, e.g. should the firm have considered the possibility of such an issue arising?  Could the firm have done more to mitigate the issue? This becomes more complex when third parties are involved in the business value chain.

The Information Commissioner’s Office (ICO), who may suddenly be alerted to your existence, would start any enquiries with such fundamental questions. If you struggled to meet the ICO’s expectations about senior management being accountable for understanding, and being assured about how personal data is processed and managed, including by any appointed third parties, doubtless you would be on the back foot.

As any breach involving personal data manifests, unfolds and becomes public, it is highly probable that your business reputation will be impacted in some way. Typically, significant management time will then be required to attempt to rebuild that reputation, with consequent impact on the bottom line.

Organising and prioritising GDPR work on third parties

Driven by GDPR, your corporate inbox may reflect letters from various third-party suppliers, often including proposed changes to contractual terms. A piecemeal approach to responding is unlikely to be sensible or efficient. As a minimum, the CFO, or fellow responsible executive, should lay down three very straightforward challenges:

The challenge is usually far larger than initially expected, i.e. there may be third-party relationships managed disparately across the firm, some with no formal contract; little understanding about how you might classify those relationships for data protection purposes; or an over ambitious estimate of the effort required to become compliant.

Identifying ‘processors’ and compliant contractual terms

The classification of each third-party relationship is vitally important. Fundamentally, not all a firm’s ‘third parties’ are Data Processors from a data protection perspective. For those relationships that involve personal data, many may actually be ‘controller to controller’. A few others may be in the ‘joint controller’ category.

Only the balance will be ‘controller to processor’, which then invoke the specific GDPR requirements on the management of, and assurance around, Data Processors. The ICO website provides useful guidance on the characteristics of the relationship to help determine this classification.

Although you should ideally be proactive in doing your own inventory and classification work, third parties writing to you should make it clear how they classify their relationship with you. You must verify this carefully. Some considerations here include: which party collects what type of personal data, according to what lawful basis; and which party(ies) is (/are) determining the purpose and how the personal data gets processed. Further detailed analysis is required in each specific case.

If you identify another party as a ‘processor’ of personal data, it is a key priority to ensure that a suitable, compliant contract exists. The predecessor to GDPR, the DPA 1998, set out two minimum contractual provisions i.e. re a processor acting on the controller’s instructions; and provisions to be in place to implement security over personal data.

For GDPR, the ICO website includes guidance on a further six key provisions that now need to be reflected in contracts with third-party processors. This complex area has not been understood or applied well in practice, so this guidance is helpful.

Ongoing responsibilities regarding privacy, oversight & assessment

A working definition of third-party risk management is ‘the implementation of policies, strategies and processes to identify, assess, manage, and control risks presented by external third parties throughout the life cycle of relationships’, i.e. certainly not a one off compliance exercise for GDPR, but an ongoing responsibility and an imperative for effective management, both of commercial outcomes and business reputation.

Crowe’s view is that there components are required for an effective third-party risk management approach that incorporates privacy risks. A comprehensive understanding of how personal data is handled across all business functions is a pre-requisite.

1. Third-party privacy management approach

The firm’s privacy policies and notices should have been reviewed and be compliant for GDPR. But the privacy management approach should include a process to manage privacy risks across the supplier lifecycle. It should include: a classification of third parties, by third-party type and business risk; an appropriate privacy impact assessment if required; the standard and execution of privacy due diligence; the requirement for periodic assurance on privacy elements; and privacy-aligned contractual clauses to be incorporated.

For high-priority third parties, you need to be clear on how the control framework at the third party operates, including how they would respond to any incident involving personal data.

2. Third-party oversight and control framework

Firms benefit from implementing a holistic oversight and control framework around their third parties. Taking privacy as just one of the components, this framework should incorporate all aspects required to manage third parties, including all required policies and standards. It should also include a formal reporting process, covering issues to be managed and escalated.

Definition of expected minimum standards for third parties is key, e.g. IT processing – ongoing ISO 27001 certification; core business processing – ongoing evidence through SOC reports; and payment processing – ongoing PCI-DSS compliance. Clearly, the specific standards and required controls will vary by type of third party. The involvement of the Finance function in monitoring key control standards can be essential.

3. An ongoing third-party assessment programme

An effective management and governance approach for third parties requires a tiered assessment programme, using a risk-based, ‘triage’ concept for the nature and frequency of that assessment. The programme should reflect how those reviews and visits get executed e.g. questionnaire, third-party site visit etc.

When it’s done right, it’s never done

Effective management of third parties is complex. It has become a ‘core competence’ in many firms, and a competitive differentiator between firms. A holistic approach means delivering ongoing assurance around third parties, within a structured and risk-based framework. Getting it right can bring commercial returns, but can also help to protect the firm’s reputation - including where events or incidents arise.

GDPR brings new energy, which, although just focused on the personal data management imperative, can be helpful in highlighting that third-party risks have typically not been well managed to date. GDPR brings an ongoing responsibility for compliance, but also for firms to continue to implement effective governance, control and accountability over their network of third-party relationships.

Website: www.crowehorwath.com/UK 

Crowe Horwath LLP is a member of the Crowe Horwath International (CHI) network of accounting, tax, risk and performance management firms. Crowe has years of experience implementing regulatory and compliance changes and helping firms refine their approach to risk management. Justin Baxter is a Partner in the London office and together with Neil Adams, and Neil Mockett, they are leading the development with clients of practical and pragmatic approaches to the challenges presented by GDPR and third-party risk management.

Written by Justin Baxter, Neil Adams and Neil Mockett from Crowe Horwath

The deadline for the enforcement of the General Data Protection Regulations (GDPR) provisions in May 2018 has finally reached the agenda of most companies. It coincides with an increasing fever pitch in the press and on social networks regarding cyber attacks, hackers from the east, Smart TVs watching us, et al. Privacy is news. Businesses that get caught out on privacy matters are subject to huge focus in social networking circles.

The recent focus on GDPR as “something new” is a surprise though. The regulations are an extension of the UK 1998 Data Protection Act and the EU GDPR regulations were technically in force from May 2016. It is an unfortunate fact that this new regulation is turning the spotlight on how lax some companies may have been since 1998 and as a result the scale of the current programme to address GDPR provisions suddenly appears very significant.

Privacy and Security

Privacy is an individual thing. It is increasingly apparent that as individuals we need to be more aware and protect our digital existence. Firms have to accept that the “privacy train has left the station” and people are demanding more control over personal data.

Central to the issue are two core principles: the respect for privacy; and the provision of adequate security. Importantly, underlying this is the notion of custodianship. It is this custodianship that should be considered as a key corporate responsibility and one that defines the seriousness with which firms have responded. In the event of a breach of privacy, this is where the regulators will look first.

Appreciating how you are impacted as an individual is relevant. It is hard not to conclude that the provisions of current privacy laws are not keeping up with the pervasiveness of today’s technology. It is a salutary exercise to count up the number of devices connected to the internet in your home – most are capable of enabling access and extracting information. The latest concerns expressed by Tim Berners-Lee that we have lost control of our personal data is timely. Whether we like it or not, privacy matters.

Why GDPR is different

Successfully addressing the requirements of GDPR requires a number of important challenges to be overcome.

• Striking an appropriate balance between commerciality and assessing the probability and severity of fines, loss of shareholder value and damage to reputation.
• The issues facing the firm are genuinely cross-business and will bring elements of judgement, disagreement and in some cases conflict.
• May 25^th 2018 is a key date, but there is no big bang. Regulators are expecting evidence of accountability and the journey being undertaken by firms.
• There is no “one size fits all” approach. It is essential that firms can show the regulators that issues are being addressed appropriately.
• There will be a subjective nature to many of the decisions taken by each firm and guidance continues to emerge. Waiting is not an option, so pragmatic positions will have to be taken.
• There is a necessity to review the responsibilities, contracts and processing being completed by third party providers; this tends to be an area that has previously been neglected and will lead to surprises in many cases.

All these points will test a firm’s approach to risk and risk appetite for data protection related activity. At the end of the day, data protection is just another operational risk.

Stewardship: The CFO is no stranger to stewardship. The addition of custodianship should fit quite easily but requires absolute confidence that all preparations for GDPR are sufficient.

Lines of Defence: Executives within the “second line of defence” will have a key role in ensuring an independent perspective is maintained. Executives in the  “first line of defence” will be confronted with many of the decisions and implications of GDPR driven changes and what is a proportionate response. The CFO and CEO may be drawn into debates about both areas.

Managing GDPR incidents: In the event of breach, it will often be the CFO and CEO in the spotlight, with tensions rising as the matter may become an exercise in crisis management. Anecdotal evidence suggests that the “finger pointing” starts very quickly. At which point, it will be too late as one of the first tests will be to evidence that reasonable steps had been taken to prevent the incident happening.

It starts with taking the view of the customer

In assessing any privacy issue, the key question is “What would you have expected the firm to have done?”   Fuelled by privacy stories, customers will learn quickly of their rights and will have expectations of what response they will get when approaching your business to exercise these rights. They will also assume that should something happen it is controlled and they are informed. Firms need to beware of the power of the customer to disrupt; especially with the viral nature of social media. The inclusion of the customer view from the outset will mean that this dialogue, should it arise, will better reflect the intended approach of the firm. Custodianship is a serious responsibility.

Pragmatic steps to ensure appropriate oversight and control

Senior executives should own the GDPR programme and maintain a keen eye to ensure it does not drift into a purely second line compliance project..

Progress assessment: The hardest question to answer in absolute terms is “when will we be compliant with GDPR?”  A number of dimensions can be constructed around some simple principles: the less sensitive data you lose, the more manageable the response; the more that you understand what personal data you have, the better you can secure it;  the more information you can provide about a breach, the more likely you will receive an empathetic hearing from customers and regulators. Measures should be designed to help people understand “how far” you have secured a reasonable position. It will focus minds.

Risk based approach:  It will be essential that a risk based approach to GDPR related decisions is taken. Decisions on data minimisation and retention periods, for example, will expose tensions between the need to comply and the commercial and practical implications of deleting customer data.

Governance and Accountability:  The GDPR regulations assume an ongoing commitment by the firm to embrace privacy and security responsibilities. There is no big bang and therefore, arguably, no obvious finishing line. The voice of all stakeholders across the GDPR programme need to be represented through to the Board.

Measuring operational impacts: There will be operational implications should customers past and present exercise their new rights under GDPR. For example, early indications suggested that there would be a 25 – 40% increase in the numbers of Subject Access Right requests. To this number needs to be added an estimate for the new provisions (including the right to be forgotten, portability etc.). Will current response processes be up to it?

Pragmatism is the watchword:  Implementing regulatory change is not straightforward. A pragmatic and practical approach is essential to overcome many of the issues that will be raised. The risk of projects becoming detached from the realities of running a business are high: the message of effective custodianship will help. The firm must demonstrate and justify the pragmatic judgements taken on the journey towards their compliant position. Permitting every possible aspect to be debated at length will likely result in compliance paralysis. Therefore, the importance of proportion and measured decision making cannot be overstated.

Be prepared

 Personal data is an asset and companies are the custodians. The expectation we have about the behaviour of how other organisations handle our own personal data should influence our own roles within our organisations. The way we work with colleagues to achieve a level of assurance and mutual confidence is key. There are effective ways to think about and implement regulatory change, which need to ensure that the response to the various challenges of GDPR as outlined above are appropriate, measured and reasonable. In the event of having to react to any privacy incident, having a clearly agreed position on the custodianship responsibilities will be a good place to start a defence.