The General Data Protection Regulation (GDPR), which goes into effect on May 25, 2018, is the biggest development in European Union (EU) data protection law in nearly 20 years.
For instance, GDPR Article 28 mandates that any company doing business in the EU is responsible for all third parties that are processing personal data on behalf of the company. Companies failing to comply with GDPR face potentially large fines, penalties and litigation fees.
Participants in a recent Thomson Reuters webcast, entitled GPDR: Legal’s Role in Addressing Third-Party Processor Risks, highlighted how legal departments will play a critical role in conducting and monitoring vendor due diligence. The webinar was also sponsored by the Association of Corporate Counsel (ACC) and the Jordan Lawrence Group, an IT service management firm.
As the webinar pointed out, once GPDR gets underway, the buck essentially stops at the door of the company’s legal department if there’s a data breach, even if it was caused by a sub-contractor of your third-party data processor. “The stakes are getting higher,” said Susanna McDonald, Associate General Counsel and Senior Director of Compliance at the ACC, and moderator of the webinar. “You have to be ready to meet those regulatory obligations. If you’re a data controller or a data processor, you’re responsible for ensuring that you and all of your vendors are meeting the GDPR requirements,” McDonald explained. “Regulators aren’t going to be very forgiving when you try to point your finger at your vendor.”
In the past, in-house counsel have sometimes left data protection protocols up to the company’s IT department. “I think this is a mistake for a wide variety of reasons,” McDonald pointed out. “You must be prepared to talk to regulators when they call. You’re not going to say, ‘Let me put you on the line with the IT department.’ You’ll have to demonstrate that you have a due diligence process that’s going to ensure consistent compliance.”
Why is front-to-back vendor diligence so vital? As the webinar explained, third-party vendors and subcontractors are responsible for many data breaches, with estimates ranging up to 50% of the incidents.
Click here to listen to the entire webinar, GPDR: Legal’s Role in Addressing Third-Party Processor Risks
Rebecca Perry, Director of Professional Services for Jordan Lawrence, underscored how important vendor due diligence was in the eyes of regulators. “Any vendor with any level of access to your systems or data represents a risk to your company,” Perry said. “This fact is not lost on regulators.”
Consider a house with a firmly-secured front door (your company’s data protections) and back door (your data processor’s protections) but this house also has a side window that’s left open (a negligent subcontractor) suggested. Beth Magnuson, Senior Legal Editor on Privacy and Data Security for Thomson Reuters Practical Law. Ignoring the risks that subcontractors pose to personal data creates a huge whole in your security program. “GDPR accountability requires knowledge and understanding,” Magnuson explained. “If you don’t know who can access the personal data controlled by your company, you don’t really have control over it.”
Jordan Lawrence’s Perry agreed. “GDPR explicitly makes your company responsible for third-party processors as well as their sub-processors, who are your fourth-party risks,” she added. “And GDPR compliance isn’t a one-and-done effort. Compliance is ongoing and will require systematic and routine risk assessments for your third-party vendors.” Perry walked through three vendor risk assessment standards:
- Vendor Risk Profile — to document vendor relationships and surface hidden risks.
- Comprehensive Risk Standard — to assess vendors that surface as relevant to GDPR or that require a higher level of scrutiny.
- Law Firm Standard — to assess law firms against the ACC Model Information Protection Controls.
GDPR will change the state of play in a number of ways, the webinar noted. For one thing, response times will have to be much shorter — a company may have as little as 72 hours to assess the extent of a data breach and notify anyone who may have been impacted.
Then there’s the potential for greater litigation and higher fines. “The biggest risk of GDPR is the tidal wave of litigation and settlements that it could trigger,” ACC’s McDonald said. Every general counsel and chief legal officer must be aware of two GDPR provisions in particular: Article 77 and Article 82.
Article 77 gives the right to anyone — from current and former employees to clients — to lodge complaints with data protection authorities if they feel their rights have been infringed.
And Article 82 essentially gives anyone suffering material or nonmaterial damage as a result of a GDPR infringement of the right to receive compensation from a data controller or data processor for damages suffered. “It will be very easy for individuals to file private claims,” McDonald said. “Legal must be prepared now to defend its practices.”
Rebecca Thorkildsen, Global Director of Legal Solutions at Thomson Reuters Legal Managed Services (formerly Pangea3), said legal departments should assess current vendor contracts to determine which need to be renegotiated in order to get into compliance with GDPR. “You may need to reach out to different parts of your business — functions like procurement or marketing, for example, who may be the sole owners of the contracts and associated relationships,” Thorkildsen explained.
Thorkildsen suggested that companies should consider using tools like automated extraction engines that can pull key data points from lengthy documents, such as whether a contract expires before the GDPR deadline or where the data subjects exist. For further efficiencies, repapering may be automated by generating amendments, leveraging the data extracted and selecting the most appropriate clause based on the clauses and context uncovered.
Law firms need to step up their own protections as well, panelists said. There have been a rash of law firm breaches in recent years, with some estimates noting that 40% of those affected didn’t even know they had been breached at the time.