Many organizations are still not compliant with GDPR legislation even though it has been in force since May 2018, believe researchers. This is because they have not properly audited data handling within their supplier relationships.
Data privacy management company, TrustArc, highlighted in its latest research that only 20% of companies surveyed believe they are GDPR compliant, while 53% are in the implementation phase and 27% have not yet started their implementation. EU companies are further along, with 27% reporting they are compliant, versus 12% in the U.S. and 21% in the UK. While many companies have significant work to do, 74% expect to be compliant by the end of 2018 and 93% by the end of 2019.
Chris Babel, CEO of TrustArc said, “While the amount of effort was immense for the deadline of May 25, there is substantive work yet to complete to achieve initial compliance as well as monitor and maintain compliance on a repeatable and efficient ongoing basis.”
The firm said what discouraging the process is the high cost of compliance, where over one fourth of companies spent over half a million dollars each to become GDPR compliant, while around US companies spent over 1 million dollars each on compliance versus 10% for UK and 7% for EU companies.
Gartner too believes that organizations are still not compliant with GDPR legislation even though it has been in force. According to Gartner, sourcing and vendor management (SVM) leaders should review all IT contracts to minimise potential financial and reputation risks before they go for it.
“SVM leaders are the first line of defense for organizations whose partners and suppliers process the data of EU residents on their behalf,” said Yanni Karalis, research director at Gartner. “If you don’t have clarity on your organization’s role with regards to personal data handling, you have to urgently address this.”
There are two key roles identified in the GDPR: data controllers and data processors. With GDPR already in force, SVM leaders should already have identified any vendor-supported businesses processes that result in either the vendor or the organization operating as a controller or processor of EU citizen or resident data.
“Data controllers are the customers of data processors in any specific activity handling the personal data of EU citizens, and these roles can change depending on the activity,” said Karalis. “If the controller has chosen processors that are not compliant with the GDPR, they are risking penalties for their organization of up to four percent of annual revenue or €20 million.”
GDPR imposes many requirements on data processors. These requirements include obligations to process personal data only on instructions from the controller, to inform the controller if it believes said instruction infringes on the GDPR, to notify data controllers of data breaches without undue delay, and to restrict personal data transfer to a third country unless legal safeguards are obtained.
“If you aren’t sure your suppliers meet all GDPR requirements, you need to rectify the situation immediately,” said Karalis. “Once existing relationships have been secured, you need to begin updating procurement processes to ensure GDPR requirements are built in for the future.”
The following non-exhaustive list is a great starting point for SVM leaders to set out expectations and requirements around GDPR in new contract negotiations:
– Definitions. Ensure definitions in your contracts reflect the revised definitions in the GDPR.
– Data breaches. If a data breach occurs, the vendor should notify you without delay after becoming aware of the breach. The vendor should be required to cooperate, investigate and remediate the breach. The vendor must also assist with any notifications required and work with the appropriate authorities.
– Data security. Assess if you need to use special measures such as encryption. Consider if you need to implement “data protection by design.”
– Data processing. Set up the vendor’s data processing to allow for the fulfilment of data subject requests. For example, all information that is necessary to demonstrate a vendor’s compliance with its processing obligations should be made available to you. All data processing activities that a vendor performs for you should be documented.
– Vendor cooperation. The vendor needs to support any audits that you perform or a third party performs on your behalf to verify the vendor’s GDPR compliance. The vendor must support any data protection impact assessments that you conduct.
– Dealing with fines. Per the vendor’s risk profile, consider if you need to modify the indemnities, limits of liabilities and other similar clauses to hold the vendor appropriately accountable for noncompliance with the legislation.
“Being explicit about what you need from vendors is critical,” said Karalis. “Moreover, it’s important to explain the implications of key GDPR clauses to your stakeholders as well as to your suppliers.”
Researchers find, despite difficulties in becoming GDPR compliant, 65% view GDPR as having a positive impact on their business. Only 15% view the GDPR as having a negative impact on their business. Moreover, customer expectations and complexity top GDPR drivers. Unless made simple, complexity of GDPR will conyinue ti posed the biggest challenge to comply