The General Data Protection Regulation (GDPR) has been an intimidating new reality for numerous organizations. And for good reason. For many organizations, GDPR represents an entire shift in privacy culture. For financial institutions (FIs) who process the personal data of data subjects residing in the European Union (EU), GDPR pushes them beyond what was already required by the Gramm-Leach-Bliley Act (GLBA). Much more is now required in how data is obtained, stored and processed, and even destroyed.
To meet these stringent new requirements, effective Data Protection Programs have become a must. But it does not stop there. The ramifications of GDPR extend beyond just the creation of a Data Protection Program. One area that has been significantly impacted by the Regulation is vendor management – an area that has already seen increasing attention over the years.
What are the impacts of GDPR on vendor management? FIs will need to be aware of the following:
Strategic Planning and GDPR Vendor Management Evaluation and Selection
- An FI that is contemplating outsourcing a service that would be used by consumers/customers residing within the EU should now consider, if they were not already, the potential privacy implications. How will outsourcing affect the confidential information of these data subjects?
- Once a decision has been made to move forward with outsourcing and the FI is at the vendor consideration stage, GDPR will again be a factor. The FI will need to determine if the vendor it is considering will have the ability to meet GDPR guidelines on data protection. The ability to execute on these requirements will be especially important for those FIs who have a significant number of consumers/customers residing in the EU or are looking to expand in that market.
- Contracts must be evaluated for FI vendors that process the data of customers/consumers residing in the EU. For me, this is may be the biggest area of concern when it comes to GDPR and the impact it has on vendor management. Ensuring GDPR compliance is easy to write into new contracts but amending existing contracts for existing vendor relationships may prove to be more difficult. FIs will need to ensure contracts outline the subject matter and duration of data processing (what is being processed and for how long), the nature and scope of processing (why is the data being processed and to what extent), the categories of data and customers/consumers (names, Social Security numbers, financial transaction details, etc.), and the obligations and rights of the FI as a controller of the data.
- In addition, there are a variety of other factors that contracts should require of vendors.
- Processing data only on instructions from the FI and that vendor employees adhere to confidentiality agreements.
- The vendor follows data handling security measures.
- Sub-contractors may not be engaged without prior notification and/or receiving authorization from the FI. A contract must also be in place to stipulate controls for the proper protection of data.
- Fulfill the data privacy right requests of consumers/customers and assist the FI in compliance as much as possible. In addition, the vendor should delete or return all data of EU data subjects if a contract is terminated and delete existing copies.
- As much as possible, assist the FI in complying with Articles 32 to 36 of the regulation.
- Notify FIs of a breach involving personal data without delay.
- Provide documentation of compliance with the obligations outlined for processors of data.
- Notify the FI if an action would violate GDPR.
A few more notes regarding sub-contractors: If a vendor has received general authorization from an FI to engage with a sub-contractor, the vendor will need to inform the FI of changes related to adding or replacing a sub-contractor and allow the FI the opportunity to object. If the sub-contractor the vendor has engaged with will carry out specific processing activities, the same data protection requirements outlined in the vendor’s contract will also apply to the sub-contractor. Of course, these requirements will need to be documented in the contract between the vendor and sub-contractor.
- GDPR will also affect due diligence efforts for an FI, specifically in monitoring controls. For those vendors who are processing personal data of consumers/customers residing in the EU, FIs will need to confirm adherence to processing security and contract requirements. The FI will also need to confirm that updates have been regularly made to the records of processing activities.
What are these records? Vendors need to be able to provide a written record of the processing activities that have been conducted under the direction of the FI. This record will need to detail the kinds of processing being carried out and the individuals whose data is being processed, contact details of the vendor and any sub-contractors, security controls in place, and if data has been transferred to other countries or international organizations.
Want to learn more about the General Data Protection Regulation and steps your FI can take? Check out the ProfitStars GDPR Knowledge Center for additional detail and resources.
Like this article? Subscribe to the Strategically Speaking blog to gain access to weekly articles from our industry leaders right from your inbox!