Data security and privacy are the foundations of today’s world. A world where the boundaries between business processes, people and technology are becoming blurred. Organisations are facing a new reality in which they have little IT infrastructure and the biggest cyber security and data privacy risk is coming from vendors and third parties outside their control. Do you remember the Target, Google Docs, Yahoo, AT&T and Play.com data security breaches? All of them have been a consequence of third party cyber security failure. Research indicates that almost 70% of data security and privacy breaches are caused by third parties.
The scope of organisational digital risk is expanding to address the new digital business environment. An environment that consists of a broad external eco-system and high level of intersection between technology and the physical world, such as: intelligent chatbots, IoT and connected and autonomous vehicles. For customer-facing organisations like banks, publishers, insurance companies, and many others, this will be a big challenge. Digital business as we know it today is dependent on the use of third party services and software. From business intelligence and analytics to social media and marketing, many of these services are not provided by the organisation itself, but by third parties. Most of these organisations do not have a quick and easy way to gain instant and on-going visibility of their partners’ data security and privacy posture.
On 25th May 2018, this will become paramount for organisations interacting or serving European customers around the world. This is when the new EU General Data Protection Regulation (GDPR) will come into effect. Organisation that collect and process EU customers’ personal identifier data, such as: name, address, email, financial records, IP address, etc., must attain clear and specific permission to do so. The regulation requires organisations to institute strong data security and privacy measures, know where every piece of customers’ data is stored, where it came from and with whom it’s being shared with, appoint a data protection officer, and inform users within 72 hours of a data breach so they can take steps to protect themselves.
Organisations that fail to comply with the regulation could find themselves facing steep fines between 2% and 4% of total annual turnover. Accordingly, the likes of AT&T, Target, Google and Wal-Mart, would be dealing today with fines between €53 Million and €5.83 Billion, if their third party acted negligent again and caused them a data security breach. Hence, organisations must not only protect customer data across their IT environment, but also ensure that the processes and practices of their third parties are also secure and compliant with GDPR requirements.
Traditionally, third party risk assessments have been conducted manually, collecting answers to surveys and questionnaires via emails, spreadsheets and planned visits to third party organisations. This is an extremely labour intensive, highly time consuming and expensive process, which organisations used to outsource to other third parties!
With such approach organisation, will never gain an on-going visibility and clear insight of their third parties data security and compliance posture. They will only gain a snapshot at the time of the assessment, which might not the case after sometime due to system and/or business process upgrade. Accordingly, organisations will fall short across number of articles and controls in the GDPR and end up not compliant and at risk of business disruption, financial losses, reputation damage and acquiring huge fines.
Fulfilling GDPR third party compliance requirements, a materialistic shift in how organisations assess the risk of their current and potential third party is required. A shift that allow organisations to align and reflect data security risks on their business process, people, and IT infrastructure instantly. This will support organisation gaining a clear, comprehensive and frequent insight of their and third parties data security and GDPR compliance stance.
At CyNation, we provide organisations with solutions that allow them to accelerate third party security and compliance risk assessment and monitoring to verify those organisations are compliant with the GDPR and other industry standards, such as: ISO27001, ISO31000, ISO 27017, and PCI DSS.
Our cloud-based solutions automate and streamline the lifecycle of third party security risk assessment from: distributing assessment questionnaires, responses monitoring, response aggregation and analysis, evidence collection and analysis, instant reporting and action plan generation. CyRegTM GDPR, free organisation from the tedious manual tasks of third party risk assessment, offer a systematic, step-by step approach to evaluate organisation GDPR readiness, quickly and accurately identify data privacy and compliance gaps within the organisation and its third parties.