"From GDPR to California Privacy: Managing Vendor Risk"

Alex Bermudez, Privacy Solutions Consulting Manager - Americas, OneTrust


1. For anyone living under a rock for the past 24-months, can you begin by providing a quick overview of GDPR and its impact on business around the world?

The General Data Protection Regulation (GDPR) sets guidelines for the collection and processing of personal data of individuals within the European Union and European Economic Area and has implications for businesses worldwide. On May 25, 2018, the ground-breaking regulation became law. Now, any business that collects, stores or processes the personal data of EU citizens, no matter where they are headquartered, has to overhaul their data protection processes to demonstrate compliance.  If businesses don’t comply, they face fines up to 4% annual turnover or $20M – whatever is higher, or worse – risk reputational damage. This creates a massive obligation for businesses to upend their current processes and invest in new data protection operations.  

2. Why is managing vendor risk such a huge priority as organizations continue to improve their privacy and security programs?

Managing vendor risk is an often overlooked privacy and security compliance issue, however with new regulations like the GDPR, it’s become a major priority.  Organizations increasingly rely on third party vendors to meet their operational needs, but now organizations must hold these vendors contractually responsible to specific obligations for how data is handled through data processing agreements and other measures. This includes vendors’ partners as well, when fourth parties are involved.

Along with these contractual measures, organizations must assess, test and review a vendor’s ability to adequately safeguard the data they are transferring through product, personnel, and organizational protection mechanisms. This also requires that they pass the same data protection expectations downstream. All of this due diligence is a major financial investment as it must be centrally documented and maintained in the event of an incident or regulatory audit.  If it’s not, organizations could face large fines or even termination of operations. 

3. How can these organizations implement successful vendor risk processes?
An organization can implement a successful vendor risk process in four steps:

  1. Establish a baseline for new vendors to benchmark associated risks (done during the evaluation and procurement process);

  2. Mitigate risk down to the lowest possible level and using that analysis to set a cadence for vendor review frequency; 

  3. Document all aspects of vendor due diligence, including services agreements, privacy and security risk analysis, data processing agreements, vendor contacts, and internal owners; and 

  4. Review all vendors periodically to ensure agreements and relationships are maintained with appropriate controls in place, including based on regulatory guidance, as renewals or new services may be rendered.

Also, businesses can incorporate privacy/security by design into vendor on-boarding practices by integrating with procurements processes to take advantage of work being done today. This could include an early screening to determine if further privacy and security due diligence will be required – based on what services are being rendered – and how they’re delivered. 

4. How is OneTrust positioned to assist with this?

Because the GDPR holds companies and their vendors (controllers and processors) jointly liable, it is critical to analyze vendor data transfers and contractual obligations with the same level of diligence as internal processing activities to have a defensible posture in the unfortunate event that a supplier or vendor has a breach.

OneTrust enables organizations to conduct vendor due diligence both during the initial vendor on-boarding phase as well as re-audit existing vendors on a risk-based schedule. Vendor privacy and security assessment questionnaires, built with the Cloud Security Alliance (CSA), can be sent directly to the supplier or third party to complete and generate a central record of all your vendors, contracts, data transfers, the legal basis for any cross-border transfers, and the proper security obligations.

5. You will be running a session on this topic at the CAMSS Ontario conference on October 23 in Toronto. What do you ultimately want people to take away from your session?

Ultimately, I hope the attendees have a better understanding of the GDPR and California Consumer Privacy Act’s scope as well as the new legal obligations these regulations present for third and fourth party vendor risk management. By the end of the session, attendees should be able to determine how these obligations apply their organization and identify priorities before, during and after vendor procurement.


Alex Bermudez is speaking at the 2018 CAMSS Ontario conference, taking place on Tuesday, October 23 at Beanfield Centre, Toronto. For information on the event and to register go to www.camsscanada.com/ontario.