The General Data Protection Regulation (GDPR), which came into effect in 2018, aims to safeguard the personal data of European Union (EU) citizens. As a privacy regulation, it offers customers in the EU several rights regarding how their personal data is handled and used. Violating any of those rights could lead to significant penalties and legal consequences.

‍

Since many organizations have to share customer data with third parties (or otherwise outsource data management), effective third-party risk management (TPRM) is an integral component of GDPR compliance. In this guide, you’ll learn all about the relevant GDPR third-party risk requirements and how to meet them efficiently.

‍

Before exploring the specific requirements, though, let’s take a moment to review the basics.

‍

Who needs to comply with GDPR?

GDPR compliance is mandatory for all organizations that handle the personal data of EU citizens and businesses. It also protects the rights of non-EU citizens physically located in the EU or the European Economic Area (EEA). 

‍

The standard applies regardless of your organization’s geographic location—you must comply if your operations involve the collection and processing of said data.

‍

GDPR’s core privacy principle also extends to any of your third-party partners processing customer data on your behalf. You need a systemized approach to TPRM to ensure your third parties have the necessary controls in place to protect the shared data.

‍

{{cta_withimage20="/cta-modules"}}

‍

Who is a third party under GDPR?

The GDPR defines a third party as a “natural or legal person, public authority, agency or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.”

‍

Common examples of third parties under the GDPR include:

‍

• Payment processors
• Advertising partners
• Cloud hosting providers

‍

The GDPR is strict about both how you manage third-party data sharing as well as how third parties handle the data they receive.

‍

6 GDPR Articles outlining your TPRM obligations 

The GDPR is divided into Articles, which contain corresponding Recitals that offer additional context for compliance. Below, we’ll elaborate on the six GDPR Articles outlining your organization’s obligations when it comes to managing third-party risk:

‍

1. Article 24: Responsibility of the controller
2. Article 25: Data protection by design and by default
3. Article 28: Processor
4. Article 32: Security of Processing
5. Article 35: Data protection impact assessment
6. Article 45: Transfers on the basis of an adequacy decision

‍

1. Article 24: Responsibility of the controller

GDPR Article 24 defines the responsibility of the controller (your organization) to oversee data managed by a third-party processor. The controller must “implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.”

‍

The article points to four Recitals (74–77), with two Recitals emphasizing the need for risk assessments. Specifically, Recital 76 states that the severity and likelihood of risks to a data subject’s (i.e., customer’s) rights and freedoms must be evaluated by the controller.

‍

In other words, you need to make sure a third party won’t expose your customer’s data to any significant risks. You can achieve that by performing risk assessments that address various aspects of a third party’s operations, such as:

‍

• Cybersecurity measures
• Data protection practices 
• Relationships with their third-party partners

‍

If you’re monitoring multiple third parties, the best practice is to streamline such due diligence through the right software that automates data gathering. You can also use tools like risk assessment questionnaires and templates to collect standardized data across third parties.

‍

{{cta_withimage14="/cta-modules"}} | The GDPR compliance checklist

‍

2. Article 25: Data protection by design and by default

Article 25 has two paragraphs outlining specific data protection requirements your organization must meet. You should implement:

‍

1. Technical and organizational data protection measures like data minimization and pseudonymization.
2. Appropriate measures to ensure that only the data necessary for a specific purpose is collected.

‍

These measures must extend to any third parties processing your organization’s GDPR-relevant data. You’ll ensure third parties implement the necessary internal controls for maintaining data integrity. From a practical standpoint, your goal can be to perform regular audits of your third parties’ technical and organizational controls and include the expected requirements in your SLAs.

‍

3. Article 28: Processor

Article 28 defines your organization’s relationships with third-party data processors. Most importantly, it states that you can only partner with a processor offering sufficient guarantees that they’ll implement the necessary technical and organizational measures to process data according to GDPR requirements.

‍

The Article also forbids a processor from engaging another processor (i.e., a fourth party) without your authorization. This allows you to assess the fourth party’s risk profile before your processor partners with them. Ideally, you should be able to conduct thorough due diligence to evaluate their cybersecurity practices and internal controls—but that may not be possible as fourth parties are not contractually obligated to you.

‍

This Article also discusses how third-party processing is governed. You’ll need to enter into a contract that outlines crucial information, such as:

‍

• Processing duration and subject-matter
• Nature and primary purpose of data processing
• Types of data to be collected
• Rights and obligations of the controller

‍

4. Article 32: Security of processing

As per Article 32, both your organization and third-party processors should use the results of risk assessments to:

‍

• Consider the scope and purpose of data processing.
• Determine the appropriate security measures.

‍

Besides pseudonymization and minimization, security measures can include ongoing checks for confidentiality, availability, and resilience of processing systems. You must also have a system in place to restore personal data following potential physical or security incidents.

‍

The article emphasizes the need for regular testing and assessments and helps define the supervisory responsibilities and duties between controllers and processors.

‍

{{cta_withimage5="/cta-modules"}} | How to minimize third-party risk with vendor management guide

‍

5. Article 35: Data protection impact assessment

According to Article 35, your organization must perform a data protection impact assessment (DPIA) when a certain data processing measure can expose a subject’s data to high risk. This is especially true if new technologies are involved in extensive processing operations.

‍

The goal of a DPIA is to gain a clear overview of the risks and safeguards relevant to vulnerable processing operations. It can be tailored to your organization but must feature the following four elements:

‍

1. The purpose of the processing and description of the processing operations.
2. Necessity and proportionality of the described operations (including your organization’s legitimate interest, if applicable).
3. Assessment results outlining the risks to a subject’s rights and freedoms.
4. The measures that will be put into place to address the risks.

‍

6. Article 45: Transfers on the basis of an adequacy decision

Article 45 describes the conditions for transferring data to third countries and international organizations. You can only do so in countries where the European Commission has verified an adequate level of data protection.

‍

The adequacy decision criteria are outlined in Recital 104 and include the following:

‍

• Respect for human rights
• National security
• Public authorities’ access to personal data

‍

You can find the updated list of countries where data transfer is expressly permitted on the Third Parties page of the GDPR website.

‍

While the European Commission effectively scrutinizes third countries to determine adequacy, it might also be a good idea to perform an internal ESG (environment, social, and governance) risk assessment. It will help you ensure you’re partnering with third parties with economic values and objectives similar to yours.

‍

Meet the necessary GDPR requirements with Vanta

GDPR compliance entails extensive monitoring and reviewing work, which can overwhelm your security and compliance teams. If you want to ensure compliance with minimal time and effort, Vanta can help. It’s an end-to-end compliance management platform with pre-built frameworks for over 20 major standards, including GDPR. 

‍

Vanta’s GDPR solution provides pre-built workflows to stay GDPR-compliant, regardless of the scale of your operations. From automated evidence collection and risk assessments to document uploads and reporting, you can reduce up to 90% of the busy work that tends to make compliance processes costly and inefficient.

‍

If you're looking for TPRM efficiency, you can benefit from Vanta’s Vendor Risk Management product. It’s equipped with several useful features, such as:

‍

• Centralized third-party inventory
• Vendor-tracking dashboards
• Automated third-party discovery (shadow IT)
• Policies builder and templates
• AI-enabled data processing

‍

Vanta also offers several learning resources, such as the GDPR training developed by in-house experts. 

‍

If you want to learn more about what Vanta can do for you, schedule a custom demo for a more hands-on experience.

‍

{{cta_simple19="/cta-modules"}} | GDPR product page

‍

A note from Vanta: Vanta is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney.