Lots of people have been asking me lately about managing vendor relationships with General Data Protection Regulation (GDPR) in the mix. I tell them to think about watching a group of kids playing a board game where the kids have come up with their own rules. Those kids are having a great time until an adult steps in and tells them they need to play by the rules that came in the box.

At first, there’s going to be lots of frustration. Some kids may throw tantrums and leave the game, but others will decide to figure out how the rules change things. In the end, there’s a good chance they agree that the new rules actually make the game more fun. Even the kids who walked away are likely to end up rejoining. And then they all live happily ever after.

Of course, in real life, nothing is ever that simple.

So, when it comes to GDPR, how do we change the game midplay and deal with new obligations regarding controller and processor governance?

Defining the Roles of Data Controllers and Processors

Let’s start by defining what GDPR means when it refers to data controllers and processors:

  • A controller is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”
  • A processor is “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”

For example, a department store (controller) collects the data of its customers when they make purchases, while another organization (processor) stores, digitizes and catalogs all the information produced by the department store. The processors can be data centers or document management companies, but both the controller and the processor are responsible for handling the personal data of the store’s customers.

In the pre-GDPR world, European Union (EU) data protection responsibilities were outlined in the Data Protection Directive (officially Directive 95/46/EC), and controllers were responsible for compliance. Now, however, both data controllers and data processors have a shared level of responsibility and duty. They need to be in sync about what personal data is transferred and how it’s transferred, processed (respective of all active data subject rights and choices) and reported (providing accountability, access control and incident breach reporting). That means managing your entire data supply chain, regardless of where in the world the data processors and other parties are located. And there’s one more thing: Now you’ll likely need to have a contract in place unless the controller and processor are part of the same organization.

ASSESS THE PROGRESS OF YOUR GDPR JOURNEY WITH YOUR PERSONALIZED GUIDE TO GDPR READINESS

Developing a GDPR Governance Plan

Given all these changes, here are some things to keep in mind when you’re deciding how to develop your controller and processor governance plan.

Cover the Basics

Start with some basic rules. In general, you should consider three stages for your vendor compliance program: contractual readiness, ongoing governance, and compliance and audit. Contractual readiness entails enhancing your contractual relationship with your vendor in accordance with the tougher provisions of the GDPR statutes. Ongoing governance means enhancing your vendor prequalification and onboarding programs. And when it comes to compliance and auditing, consider which tools and processes you’ll need to implement to ensure your vendors are meeting their obligations and providing audit trails where necessary.

Classify Vendors by Risk Level

Take a time-out to create buckets so you can classify your vendors according to categories and their potential level of risk. You might want to consider what kind of data they collect, manage or process, the type and volume of processing involved and where that data is going to end up. It’s possible that you’ll need to take these steps more than once for a single vendor. For example, you could have multiple types of relationships with the same vendor, who might be providing both support and development — or even hosting.

Contact Your Vendors

Decide how you plan to contact vendors and which contracts you’re likely to put in place. If you’re a processor, you may want to reach out to your data controllers to get the ball rolling if they haven’t already done so.

Define Your TOMs

Bring your buddy TOM into the game. As you may recall from our earlier blog posts, TOM stands for technical and organizational measures. These are the uniform practices and standards you should require your vendors to adopt. If you’re a controller, be sure to have your TOMs well-defined and identify the specific controls you need. And if you’re a processor, take the time to assess your current contracts and any existing controls that could help meet these new obligations. It’s all good preparation for vendor discussions.

Communicate

If you’re a controller, you should create a formal communication plan for contacting vendors. For example, you could launch a mass mailing that sets out the new contract, terms and TOMs. Then confirm that the documents were received by the right individual and track your progress until you’ve succeeded in reaching everyone on your list.

Processors should review the new controls with everyone on their team, including the appropriate IT and security people. You should also perform a gap analysis and create an implementation plan that includes monitoring and reporting. Anticipate — and prepare for — controller audits and complaints from controllers or the Data Protection Authority (the GDPR-designated regulator).

Educate

As a controller, be aware that your smaller vendors may not even know about GDPR — so don’t assume otherwise. Consider providing some of the same training that you gave your employees. You’ll also want to educate your vendor management team, along with your marketing, human resources and product development groups. They often have greater insight into the nature of the supplier relationships, the types of data being handled and the relative maturity of the vendor. And that can help determine how you work with your vendors and handle any issues that may arise.

Document Your Moves

Create a central supplier lookup repository to help you gain visibility into your vendors. It should provide details about who has been notified, signed a contract, completed education and who has been audited. It should also include information about any exceptions that need to be addressed. And if you’re a controller, your repository should also provide a link into your data mapping repository, since Article 30 of GDPR requires that you identify both those processors who work with personal data and any additional vendors that may be involved.

Stay in the Game

If you’re a controller, you should specify the types of audits you’re planning to conduct, how frequently you plan to conduct them and how you’re going to track your progress. And you need to figure out how you’ll deal with vendors who aren’t meeting their obligations. Meanwhile, if you’re a processor, you need to determine who’s going to handle your audits.

In conclusion, vendor management requires an ongoing vendor governance and compliance program.

ASSESS THE PROGRESS OF YOUR GDPR JOURNEY WITH YOUR PERSONALIZED GUIDE TO GDPR READINESS

Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including GDPR. IBM does not provide legal advice and does not represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

More from Data Protection

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

SpyAgent malware targets crypto wallets by stealing screenshots

4 min read - A new Android malware strain known as SpyAgent is making the rounds — and stealing screenshots as it goes. Using optical character recognition (OCR) technology, the malware is after cryptocurrency recovery phrases often stored in screenshots on user devices.Here's how to dodge the bullet.Attackers shooting their (screen) shotAttacks start — as always — with phishing efforts. Users receive text messages prompting them to download seemingly legitimate apps. If they take the bait and install the app, the SpyAgent malware gets…

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today