An action plan for tackling third-party GDPR risk

Start adding items to your reading lists:
Save this item to:
This item has been saved to your reading list.

Third-party risk and GDPR

Organizations need an action plan for handling third party data as GDPR takes effect in May 2018. Here's your guide to handling third party risk management in a GDPR world.

Broader and deeper vendor GDPR risk

Five articles in the GDPR add new requirements or deepen existing obligations from the legacy 1995 EU Directive on Data Protection: 

  • Article 28, “Processor,” requires contractual protections with data processors and their sub-processors, adequate data protection, and production of evidence of compliance with the GDPR; 
  • Article 30, “Records of processing activities,” requires data processors to maintain a detailed inventory of the EU personal data they host;
  • Article 32, “Security of processing,” requires data processors and their sub-processors to implement comprehensive information security controls to protect EU personal data;
  • Article 33, “Notification of a personal data breach to the supervisory authority,” requires data processors to report compromises of EU personal data to their clients without undue delay; and
  • Article 36, “Prior consultation,” requires data processors to provide data protection impact assessments (DPIAs) to their clients in certain high-risk situations. 

Companies which engage third parties to process their EU personal data will also want to contractually establish their service levels for assisting with responses to data subject rights requests under their purview and also to provide GDPR evidence of compliance on demand.

Contact us

Jay Cline

Privacy Leader, Principal, PwC US

Carolyn Holcomb

Partner, Cybersecurity and Privacy, PwC US

Jocelyn Aqua

Principal, Cybersecurity and Privacy, PwC US

Follow us