Three Steps Every Risk Manager Can Take to Prepare for GDPR Today

by Liesl Geier

While much of the world woke up in the new year with a renewed sense of commitment to a variety of personal goals, many security professionals had GDPR on their minds, and for good reason. The impending European Union (EU) General Data Protection Regulation (GDPR) requires that any organization that handles or processes EU citizen data, regardless of where they are located, have the proper security and data protections in place to protect that data. Noncompliance carries significant financial ramifications, including fines up to 4% of annual global turnover or €20 million, whichever is greater.

Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.” –

For some organizations, ensuring compliance is neatly contained within their own security practice. For most, however, compliance extends to the IT vendors and third parties in their digital ecosystem. Because companies that outsource data processing to a third party, contractor or partner remain responsible for the security of that data.

GDPR may be a new regulation, but this story is as old as your digital ecosystem. You have an obligation to protect your customers data, and that obligation extends to your third parties. Many organizations have acknowledged this by implementing third-party risk management programs. Even with those practices in place, however, most still don’t have a clear understanding of the controls their third parties have implemented to protect their data, or the gaps that need to be addressed.  Meanwhile we continue to read industry reports about the increase in third-party related breaches.

Related: 6 Security Controls You Need For General Data Protection Regulation (GDPR)

This creates a third-party risk Bermuda triangle of sorts. We have a continued reliance on our third parties intersecting with an increase in third-party related breaches and regulatory scrutiny. These factors create a powerful trifecta, but the good news is there are some steps we can help you take today to get your house in order:

1.Identify which of your third parties control or process EU citizen data 

Our customer success and services team can help you survey your digital ecosystem to identify your third parties who may need to be GDPR compliant.

2. Assess your third parties to determine if they have any gaps in GDPR requirements 

CyberGRX assessments now include GDPR readiness questions around controller and processor requirements that will help organizations identify and confirm if they have the proper GDPR controls and security strategy in place.

3. Prioritize any potential gaps in your third-party program and create a mitigation strategy

Our advanced analytics, dynamic risk assessments and customer success team will help identify and prioritize any gaps, so you can create a strategy with your third parties to mitigate them in advance of May 25, 2018.

Download our CyberGRX GDPR datasheet to learn more.

Contact us today to discuss how CyberGRX can help you prepare for GDPR and arm you with a risk-based approach to third-party risk management.

GDPR General Data Protection Regulation Security Controls