Meeting the Third-Party Risk Requirements of the GDPR in 2022

Edward Kost
Edward Kost
updated Aug 09, 2022

The General Data Protection Regulation (GDPR) is one of the world’s most popular regulations. Though the European Union designed the GDPR to protect European citizens, its compliance transcends European borders, impacting most businesses collecting personal data via their websites - because you can’t control whether a European citizen accesses your website.

Third-party vendors often require access to sensitive personal data to deliver their services. Cybercriminals know this and have developed a distinct category of cyberattacks exploiting this sensitive data pathway - supply chain attacks. This third-party relationship means inferior cybersecurity standards in your third-party network could negatively impact your GDPR compliance.

The GDPR outlines a unilateral approach to third-party risk mitigation, expecting entities to discover and mitigate information security risks both internally and throughout the third-party network. These security measures can be summarized in a compliance framework supported by four primary pillars:

  • Pillar 1: Risk assessments - Evaluating the data privacy standards of all service providers with access to personal data.
  • Pillar 2: Compliance evidence gathering - Documenting GDPR security control evidence demonstrating compliance.
  • Pillar 3: Continuous monitoring - For all forms of third-party security risks.
  • Pillar 4: Audit trail capabilities - The mapping of informational flow across the vendor ecosystem.
gdpr compliance framework

For more details on the compliance requirements of all the specific GDPR recitals and Articles pertaining to Third-Party Risk Management (TPRM), read on.

Meeting all of the GDPR Requirements Relating to Third-Party Risk Management (and Vendor Risk Management)

The third-party security vulnerability due diligence standards outlined by the GDPR can be mapped to both a Third-Party Risk Management program and a Vendor Risk Management program. The difference between the two is that a TPRM program includes security controls for all forms of third-party risks, including reputational and financial risks, whereas a VRM program focuses explicitly on mitigating security risks for third, and even fourth-party vendors.

vend diagram showing TPRM and VRM intersecting at Information Security

Learn more about Vendor Risk Management.

Learn more about Third-Party Risk Management.

What’s the Difference Between a GDPR Article and Recital?

The GDPR is a legal document, and reading it can get overwhelming if you’ve had little to no experience with such documents.

Here’s a quick explanation of the GDPR’s structure to make the document easier to understand:

The GDPR is comprised of two components - articles and recitals. Articles outline the legal requirements of the GDPR that entities must follow to achieve compliance. Recitals offer supportive information, explaining what actions should be taken to meet the requirements of each article.

GDPR Article 24: Responsibility of the Controller

The first paragraph of Article 24 is as follows:

Taking into account the nature, scope, context, and purposes of processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.

Article 24 maps to four recitals:

Learn more about data processors, data controllers, and data protection officers.

Meeting the Third-Party Risk Requirements of GDPR Article 24

Ensure each third party used as a data processor has the appropriate security controls in place for protecting personal data.

How UpGuard can help you comply with Article 24 of the GDPR

UpGuard offers a GDPR security questionnaire for assessing the security control efforts of all third-party services. For highly-targeted assessments of specific security controls or data processing activities, UpGuard offers a customer questionnaire builder. Custom questionnaires can either be built from a blank canvas or created by editing an existing template.

Learn more about UpGuard‘s custom questionnaire builder.

GDPR Article 25: Data Protection by Design and by Default

The first paragraph of Article 25 is as follows:

Taking into account the state of the art, the cost of implementation and the nature, scope, context, and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.

Article 24 maps to one recital:

  • Recital 78 - Appropriate Technical and Organizational Measures

Meeting the Third-Party Risk Requirements of GDPR Article 25

Creating Information transfer audit trails extending to the fourth-party vendor network will uncover potential exposure and data portability issues impeding the minimization requirement of article 25.

It also helps audit “build-in” and “bolt-on” cybersecurity practices. The findings from such reports will uncover high-risk third-party compliance deficiencies in each vendor’s security program.

How UpGuard can Help you comply with Article 25 of the GDPR

UpGuard’s attack surface monitoring solution can help you identify security risks extending to the fourth-party vendor network.

Click here for a free 7-day trial of UpGuard.

GDPR Article 28: Processor

The first paragraph of Article 28 is as follows:

Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

Article 28 maps to one recital:

How UpGuard can Help you comply with Article 28 of the GDPR

UpGuard continuously monitors the third-party attack surface to discover vulnerabilities potentially leading to security incidents and data breaches. UpGuard risk assessment feature can also map responses to popular regulatory standards, such as the GDPR, to help you discover potential technical and organizational measures failing to meet the standards stipulated in your data processing agreement.

Click here for a free 7-day trial of UpGuard.

GDPR Article 32: Security of Processing

The first paragraph of Article 32 is as follows:

Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller, and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate.

- The pseudonymization and encryption of personal data;

- The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;

- The ability to restore the availability and access to personal data promptly in the event of a physical or technical incident;

- A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Article 32 maps to six recitals:

Meeting the Third-Party Risk Requirements of GDPR Article 32

The ongoing confidentiality, integrity, availability, and resilience of processing systems and services for vendors is best determined through a combination of risk assessments and security ratings.

Security ratings evaluate each vendor’s security posture, and a value drop could indicate a critical security vulnerability in processing systems, placing personal data at risk of compromise.

In addition to risk assessment, penetration tests should be conducted to further evaluate the resilience of a vendor’s cybersecurity controls.

How UpGuard can Help you comply with Article 32 of the GDPR

UpGuard includes a security rating feature to help you quickly evaluate the security posture of new vendors during the onboarding process as well as existing vendors. UpGuard’s security rating allows you to track the effectiveness of remediation requests and discover potential lapses in security practices that increase privacy risk.

Click here for a free 7-day trial of UpGuard.

GDPR Article 35: Data Protection Impact Assessment

The segments of Article 35 pertaining to third-party risk management are included below:

Where a type of processing, in particular, using new technologies and taking into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.

The assessment shall contain at least:

- A systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;

- An assessment of the necessity and proportionality of the processing operations in relation to the purposes;

- An assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1 (above); and

- The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.

Article 35 maps to seven recitals:

  • Recital 75 - Risks to the Rights and Freedoms of Natural Persons
  • Recital 84 - Risk Evaluation and Impact Assessment
  • Recital 89 - Elimination of the General Reporting Requirement
  • Recital 90 - Data Protection Impact Assessment
  • Recital 91 - Necessity of a Data Protection Impact Assessment
  • Recital 92 - Broader Data Protection Impact Assessment
  • Recital 93 - Data Protection Impact Assessment at Authorities

Meeting the Third-Party Risk Requirements of GDPR Article 35

Evaluate the potential impacts of new technology on personal data through a combination of risk assessments and quantitative (or qualitative) risk analysis. The process of projecting security impacts should be similar to the processes that were used to evaluate your risk appetite.

Learn how to calculate risk appetite for TPRM.

How UpGuard can Help you comply with Article 35 of the GDPR

UpGuard’s custom questionnaire builder allows you to tailor risk assessments to each unique threat analysis scenario. A questionnaire could be designed for article 35 of the GDPR, where the specific safeguard, security measures, and mechanisms ensuring personal data protection are analyzed.

Click here for a free 7-day trial of UpGuard.

GDPR Article 45: Transfers on the Basis of an Adequacy Decision

The segments of Article 45 pertaining to third-party risk management are included below:

A transfer of personal data to a third country or an international organization may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection. Such a transfer shall not require any specific authorization.

When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements:

- The rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defense, national security, and criminal law, and the access of public authorities to personal data.

Article 45 maps to five recitals:

  • Recital 103 - Appropriate Level of Data Protection Based on an Adequacy Decision
  • Recital 104 - Criteria for an Adequacy Decision
  • Recital 105 - Consideration of International Agreements For an Adequacy Decision
  • Recital 106 - Monitoring And Periodic Review of The Level of Data Protection
  • Recital 107 - Amendment, Revocation, And Suspension of Adequacy Decisions

Meeting the Third-Party Risk Requirements of GDPR Article 45

Be sure to investigate local breach notification laws for all entities processing personal data on both a member state and country levels. This will help you determine the quality of security controls specifically mapping to the requirements of these laws.

How UpGuard can Help you comply with Article 45 of the GDPR

UpGuard’s advanced attack surface monitoring engine can quickly determine deficiencies in security controls by mapping to popular cybersecurity frameworks and regulations. UpGuard can also discover data leaks linked to third-party vendors, which could be early indicators of inadequate personal data protection practices.

Click here for a free 7-day trial of UpGuard.

Free

UpGuard logo in white
UpGuard free resources available for download
Learn more

Download our free ebooks and whitepapers

Insights on cybersecurity and vendor risk management.
UpGuard logo in white
eBooks, Reports & Whitepapers
UpGuard free resources available for download
UpGuard customer support teamUpGuard customer support teamUpGuard customer support team

See UpGuard In Action

Book a free, personalized onboarding call with one of our cybersecurity experts.
Deliver icon

Sign up to our newsletter

Get the latest curated cybersecurity news, breaches, events and updates in your inbox every week.
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    Hundreds of risk factors including email security, SSL, DNS health, open ports and common vulnerabilities
Website Security scan resultsWebsite Security scan rating