63% of data breaches involve a third party relationship.
The new General Data Protection Regulation – which comes into force in May 2018 – may at first blush seem like “just another EU rule”. However, organizations – and specifically third party risk management teams within them – would take a “tick-box” approach to compliance at their peril.
In fact, the GDPR is such a significant new rule that any organization that does business with EU nationals and holds some form of personal data on them, should dedicate the the time and resources to take a more strategic approach to risk management and compliance within 2017, rather than waiting until next year, or complying more tactically. Compliance with this rule requires a strategic approach because:
- It is an EU regulation, but with significant extraterritorial implications. For example, it effects data about EU citizens processed elsewhere around the world.
- Organizations have significant new risk responsibilities regarding the third parties they engage, who work with impacted personal data.
- The new rule has much more robust protections woven into it for privacy, data protection, and consent.
- The rule requires data protection to now be built into new products, rather than tacked on as an afterthought.
- New fines and sanctions built into the rule are much more severe than under the previous rule – and would apply in the global way in which the rule is written.