CHECKLIST Create a rubric for defining inherent third-party risk Get step-by-step guidance for creating a vendor risk rubric for your organization. Download now ‍ Who is a third party under GDPR? The GDPR defines a third party as a “natural or legal person, public authority, agency or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.” ‍ Common examples of third parties under the GDPR include: ‍ Payment processors Advertising partners Cloud hosting providers ‍ The GDPR is strict about both how you manage third-party data sharing as well as how third parties handle the data they receive. ‍ 6 GDPR Articles outlining your TPRM obligations The GDPR is divided into Articles, which contain corresponding Recitals that offer additional context for compliance. Below, we’ll elaborate on the six GDPR Articles outlining your organization’s obligations when it comes to managing third-party risk: ‍ Article 24: Responsibility of the controller Article 25: Data protection by design and by default Article 28: Processor Article 32: Security of Processing Article 35: Data protection impact assessment Article 45: Transfers on the basis of an adequacy decision ‍ 1. Article 24: Responsibility of the controller GDPR Article 24 defines the responsibility of the controller (your organization) to oversee data managed by a third-party processor. The controller must “implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.” ‍ The article points to four Recitals (74–77), with two Recitals emphasizing the need for risk assessments. Specifically, Recital 76 states that the severity and likelihood of risks to a data subject’s (i.e., customer’s) rights and freedoms must be evaluated by the controller. ‍ In other words, you need to make sure a third party won’t expose your customer’s data to any significant risks. You can achieve that by performing risk assessments that address various aspects of a third party’s operations, such as: ‍ Cybersecurity measures Data protection practices Relationships with their third-party partners ‍ If you’re monitoring multiple third parties, the best practice is to streamline such due diligence through the right software that automates data gathering. You can also use tools like risk assessment questionnaires and templates to collect standardized data across third parties. ‍ CHECKLIST Your checklist to GDPR compliance Learn everything you need to know for GDPR compliance with this checklist. Download now Vanta checklist cover: GDPR compliance checklist ‍ 2. Article 25: Data protection by design and by default Article 25 has two paragraphs outlining specific data protection requirements your organization must meet. You should implement: ‍ Technical and organizational data protection measures like data minimization and pseudonymization. Appropriate measures to ensure that only the data necessary for a specific purpose is collected. ‍ These measures must extend to any third parties processing your organization’s GDPR-relevant data. You’ll ensure third parties implement the necessary internal controls for maintaining data integrity. From a practical standpoint, your goal can be to perform regular audits of your third parties’ technical and organizational controls and include the expected requirements in your SLAs. ‍ 3. Article 28: Processor Article 28 defines your organization’s relationships with third-party data processors. Most importantly, it states that you can only partner with a processor offering sufficient guarantees that they’ll implement the necessary technical and organizational measures to process data according to GDPR requirements. ‍ The Article also forbids a processor from engaging another processor (i.e., a fourth party) without your authorization. This allows you to assess the fourth party’s risk profile before your processor partners with them. Ideally, you should be able to conduct thorough due diligence to evaluate their cybersecurity practices and internal controls—but that may not be possible as fourth parties are not contractually obligated to you. ‍ This Article also discusses how third-party processing is governed. You’ll need to enter into a contract that outlines crucial information, such as: ‍ Processing duration and subject-matter Nature and primary purpose of data processing Types of data to be collected Rights and obligations of the controller ‍ 4. Article 32: Security of processing As per Article 32, both your organization and third-party processors should use the results of risk assessments to: ‍ Consider the scope and purpose of data processing. Determine the appropriate security measures. ‍ Besides pseudonymization and minimization, security measures can include ongoing checks for confidentiality, availability, and resilience of processing systems. You must also have a system in place to restore personal data following potential physical or security incidents. ‍ The article emphasizes the need for regular testing and assessments and helps define the supervisory responsibilities and duties between controllers and processors. ‍ EBOOK How to stay ahead of vendor risk? We asked the experts. In this guide, top security and compliance leaders share their tips, best practices, and advice on proactively managing third-party risk. Download now Thumbnail of ebook how to minimize third-party risk with strong vendor management ‍ 5. Article 35: Data protection impact assessment According to Article 35, your organization must perform a data protection impact assessment (DPIA) when a certain data processing measure can expose a subject’s data to high risk. This is especially true if new technologies are involved in extensive processing operations. ‍ The goal of a DPIA is to gain a clear overview of the risks and safeguards relevant to vulnerable processing operations. It can be tailored to your organization but must feature the following four elements: ‍ The purpose of the processing and description of the processing operations. Necessity and proportionality of the described operations (including your organization’s legitimate interest, if applicable). Assessment results outlining the risks to a subject’s rights and freedoms. The measures that will be put into place to address the risks. ‍ 6. Article 45: Transfers on the basis of an adequacy decision Article 45 describes the conditions for transferring data to third countries and international organizations. You can only do so in countries where the European Commission has verified an adequate level of data protection. ‍ The adequacy decision criteria are outlined in Recital 104 and include the following: ‍ Respect for human rights National security Public authorities’ access to personal data ‍ You can find the updated list of countries where data transfer is expressly permitted on the Third Parties page of the GDPR website. ‍ While the European Commission effectively scrutinizes third countries to determine adequacy, it might also be a good idea to perform an internal ESG (environment, social, and governance) risk assessment. It will help you ensure you’re partnering with third parties with economic values and objectives similar to yours. ‍ Meet the necessary GDPR requirements with Vanta GDPR compliance entails extensive monitoring and reviewing work, which can overwhelm your security and compliance teams. If you want to ensure compliance with minimal time and effort, Vanta can help. It’s an end-to-end compliance management platform with pre-built frameworks for over 20 major standards, including GDPR. ‍ Vanta’s GDPR solution provides pre-built workflows to stay GDPR-compliant, regardless of the scale of your operations. From automated evidence collection and risk assessments to document uploads and reporting, you can reduce up to 90% of the busy work that tends to make compliance processes costly and inefficient. ‍ If you're looking for TPRM efficiency, you can benefit from Vanta’s Vendor Risk Management product. It’s equipped with several useful features, such as: ‍ Centralized third-party inventory Vendor-tracking dashboards Automated third-party discovery (shadow IT) Policies builder and templates AI-enabled data processing ‍