The General Data Protection Regulation (GDPR) is one of the world’s most rigorous data privacy protection laws. Though the European Union (EU) designed the GDPR to protect European citizens, its compliance transcends European borders, impacting most businesses collecting personal data via their websites - because you can’t control whether a European citizen accesses your website. The GDPR complements other EU regulations, including the Digital Operational Resilience Act (DORA).
Third-party vendors often require access to sensitive personal data to deliver their services. Cybercriminals know this and have developed a distinct category of cyberattacks exploiting this sensitive data pathway - supply chain attacks. This third-party relationship means inferior cybersecurity standards in your third-party network could negatively impact your GDPR compliance. To complement the risk mitigation efforts of the GDPR, the Prudential Regulation Authority outlines its third-party risk management standards in the Supervisory Statement SS2/21.
The GDPR outlines a unilateral approach to third-party risk mitigation, expecting entities to discover and mitigate information security risks both internally and throughout the third-party network. These security measures can be summarized in a compliance framework supported by four primary pillars:
- Pillar 1: Risk assessments - Evaluating the data privacy standards of all service providers with access to personal data.
- Pillar 2: Compliance evidence gathering - Documenting GDPR security control evidence demonstrating compliance.
- Pillar 3: Continuous monitoring - For all forms of third-party security risks.
- Pillar 4: Audit trail capabilities - The mapping of informational flow across the vendor ecosystem.
For more details on the compliance requirements of all the specific GDPR recitals and Articles pertaining to Third-Party Risk Management (TPRM), read on.
Meeting all of the GDPR Requirements Relating to Third-Party Risk Management (and Vendor Risk Management)
The third-party security vulnerability due diligence standards outlined by the GDPR can be mapped to both a Third-Party Risk Management program and a Vendor Risk Management program. The difference between the two is that a TPRM program includes security controls for all forms of third-party risks, including reputational and financial risks, whereas a VRM program focuses explicitly on mitigating security risks for third, and even fourth-party vendors.
To encourage a more holistic approach to GDPR compliace, where third-party risks are more likely to be considered, be sure to also reference these advanced GDPR compliance tips while drafting your compliance plan.
What’s the Difference Between a GDPR Article and Recital?
The GDPR is a legal document, and reading it can get overwhelming if you’ve had little to no experience with such documents.
Here’s a quick explanation of the GDPR’s structure to make the document easier to understand:
The GDPR is comprised of two components - articles and recitals. Articles outline the legal requirements of the GDPR that entities must follow to achieve compliance. Recitals offer supportive information, explaining what actions should be taken to meet the requirements of each article.
GDPR Article 24: Responsibility of the Controller
The first paragraph of Article 24 is as follows:
Taking into account the nature, scope, context, and purposes of processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.
Article 24 maps to four recitals:
- Recital 74 - Responsibility and Liability of the Controller.
- Recital 75 - Risks to the Rights and Freedoms of Natural Persons.
- Recital 76 - Risk Assessment.
- Recital 77 - Risk Assessment Guidelines
Learn more about data processors, data controllers, and data protection officers >
Meeting the Third-Party Risk Requirements of GDPR Article 24
Ensure each third party used as a data processor has the appropriate security controls in place for protecting personal data.
Learn how to communicate third-party risk to the Board >
How UpGuard can help you comply with Article 24 of the GDPR
UpGuard offers a GDPR security questionnaire for assessing the security control efforts of all third-party services. For highly-targeted assessments of specific security controls or data processing activities, UpGuard offers a customer questionnaire builder. Custom questionnaires can either be built from a blank canvas or created by editing an existing template.
Learn more about UpGuard‘s custom questionnaire builder >
GDPR Article 25: Data Protection by Design and by Default
The first paragraph of Article 25 is as follows:
Taking into account the state of the art, the cost of implementation and the nature, scope, context, and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
Article 24 maps to one recital:
- Recital 78 - Appropriate Technical and Organizational Measures
Meeting the Third-Party Risk Requirements of GDPR Article 25
Creating Information transfer audit trails extending to the fourth-party vendor network will uncover potential exposure and data portability issues impeding the minimization requirement of article 25.
It also helps audit “build-in” and “bolt-on” cybersecurity practices. The findings from such reports will uncover high-risk third-party compliance deficiencies in each vendor’s security program.
How UpGuard can Help you comply with Article 25 of the GDPR
UpGuard’s attack surface monitoring solution can help you identify security risks extending to the fourth-party vendor network.
Get free 7-day trial of UpGuard >
GDPR Article 28: Processor
The first paragraph of Article 28 is as follows:
Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
Article 28 maps to one recital:
- Recital 81 - The use of Processors
How UpGuard can Help you comply with Article 28 of the GDPR
UpGuard continuously monitors the third-party attack surface to discover vulnerabilities potentially leading to security incidents and data breaches. UpGuard risk assessment feature can also map responses to popular regulatory standards, such as the GDPR, to help you discover potential technical and organizational measures failing to meet the standards stipulated in your data processing agreement.
Learn about the top Third-Party Risk Management solutions on the market >
GDPR Article 32: Security of Processing
The first paragraph of Article 32 is as follows:
Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller, and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate.- The pseudonymization and encryption of personal data;
- The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
- The ability to restore the availability and access to personal data promptly in the event of a physical or technical incident;
- A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
Article 32 maps to six recitals:
- Recital 75 - Risks to the Rights and Freedoms of Natural Persons.
- Recital 76 - Risk Assessment.
- Recital 77 - Risk Assessment Guidelines
- Recital 78 - Appropriate Technical and Organizational Measures
- Recital 79 - Allocation of the Responsibilities
- Recital 83 - Security of Processing
Meeting the Third-Party Risk Requirements of GDPR Article 32
The ongoing confidentiality, integrity, availability, and resilience of processing systems and services for vendors is best determined through a combination of risk assessments and security ratings.
Security ratings evaluate each vendor’s security posture, and a value drop could indicate a critical security vulnerability in processing systems, placing personal data at risk of compromise.
In addition to risk assessment, penetration tests should be conducted to further evaluate the resilience of a vendor’s cybersecurity controls.
How UpGuard can Help you comply with Article 32 of the GDPR
UpGuard includes a security rating feature to help you quickly evaluate the security posture of new vendors during the onboarding process as well as existing vendors. UpGuard’s security rating allows you to track the effectiveness of remediation requests and discover potential lapses in security practices that increase privacy risk.
Get free 7-day trial of UpGuard >
GDPR Article 35: Data Protection Impact Assessment
The segments of Article 35 pertaining to third-party risk management are included below:
Where a type of processing, in particular, using new technologies and taking into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.
The assessment shall contain at least:- A systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
- An assessment of the necessity and proportionality of the processing operations in relation to the purposes;
- An assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1 (above); and
- The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.
Article 35 maps to seven recitals:
- Recital 75 - Risks to the Rights and Freedoms of Natural Persons
- Recital 84 - Risk Evaluation and Impact Assessment
- Recital 89 - Elimination of the General Reporting Requirement
- Recital 90 - Data Protection Impact Assessment
- Recital 91 - Necessity of a Data Protection Impact Assessment
- Recital 92 - Broader Data Protection Impact Assessment
- Recital 93 - Data Protection Impact Assessment at Authorities
Meeting the Third-Party Risk Requirements of GDPR Article 35
Evaluate the potential impacts of new technology on personal data through a combination of risk assessments and quantitative (or qualitative) risk analysis. The process of projecting security impacts should be similar to the processes that were used to evaluate your risk appetite.
Learn how to calculate risk appetite for TPRM >
How UpGuard can Help you comply with Article 35 of the GDPR
UpGuard’s custom questionnaire builder allows you to tailor risk assessments to each unique threat analysis scenario. A questionnaire could be designed for article 35 of the GDPR, where the specific safeguard, security measures, and mechanisms ensuring personal data protection are analyzed.
Get free 7-day trial of UpGuard >
GDPR Article 45: Transfers on the Basis of an Adequacy Decision
The segments of Article 45 pertaining to third-party risk management are included below:
A transfer of personal data to a third country or an international organization may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection. Such a transfer shall not require any specific authorization.
When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements:- The rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defense, national security, and criminal law, and the access of public authorities to personal data.
Article 45 maps to five recitals:
- Recital 103 - Appropriate Level of Data Protection Based on an Adequacy Decision
- Recital 104 - Criteria for an Adequacy Decision
- Recital 105 - Consideration of International Agreements For an Adequacy Decision
- Recital 106 - Monitoring And Periodic Review of The Level of Data Protection
- Recital 107 - Amendment, Revocation, And Suspension of Adequacy Decisions
Meeting the Third-Party Risk Requirements of GDPR Article 45
Be sure to investigate local breach notification laws for all entities processing personal data on both a member state and country levels. This will help you determine the quality of security controls specifically mapping to the requirements of these laws.
How UpGuard Can Help Organizations Comply with Article 45 of the GDPR
UpGuard’s advanced attack surface monitoring engine can quickly determine deficiencies in security controls by mapping to popular cybersecurity frameworks and regulations. UpGuard can also discover data leaks linked to third-party vendors, which could be early indicators of inadequate personal data protection practices. Additionally, organizations can begin managing their third-party risks with UpGuard's 24/7 continuous monitoring, real-time data breach or leak data, and assistance with remediation processes.
UpGuard also offers a security questionnaire for GDPR compliance, to offer a way for organizations to better manage their vendor's compliance to the strict data privacy law. The platform allows businesses to tier their vendors by risk level, review specific risks, as well as customize the questionnaire to meet their company's requirements.
