To comply with GDPR, organizations typically must overhaul and update a number of internal processes and systems, but they can’t ignore a critical area: risk from vendors and other third parties such as contractors, partners, suppliers and service providers.
It’s a point that’s stressed repeatedly throughout the 88-page text of the EU’s General Data Protection Regulation (GDPR), which goes into effect in May 2018 and requires that organizations worldwide properly identify, track and protect their EU customers’ personally identifiable information (PII).
In GDPR lingo, “data controllers” must vet the “data processors” they share this customer information with, and assume joint responsibility for what happens to it. In other words, you’re liable if one of your third parties gets breached for failing to adhere to GDPR requirements and as a result your customers’ personal data gets compromised.
“The controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject,” reads GDPR’s Article 28. That article goes on to stress that “controllers” must detail in written contracts how their “processors” are going to handle this customer data.
In this installment of our GDPR preparedness blog series, we’ll focus on the importance of ensuring that your third parties comply with the regulation’s requirements. To accomplish this, you must do due diligence and assess your third parties’ GDPR compliance levels.
Third Party Risk Assessments: Manual vs. Automated
These business-process control assessments are conducted via surveys to poll third parties on things like their business continuity plans, regulatory compliance and data security safeguards.
After collecting and analyzing the survey responses, an organization can determine the level of risk involved in giving particular third parties access to its systems and data.
Historically, these polls have been conducted manually, usually by emailing survey questionnaires to the third parties and tracking their responses on spreadsheets.
But distributing questionnaires, collecting answers and aggregating results in this manual fashion is arduous, erratic and costly. For GDPR compliance, you must conduct your third-party risk assessments efficiently, exhaustively, accurately and frequently.
GDPR is unforgiving with regards to customer data protection — fines can total up to 4% of your annual revenue, or €20 million, whichever amount is higher — and EU regulators expect both data “controllers” and “processors” to go to great lengths to properly secure this information.
In order to meet GDPR’s requirements, you need a solution that centralizes management of these assessment campaigns and streamlines the entire process. Qualys’ Security Assessment Questionnaire (SAQ) has been designed to do just that.
Qualys Security Assessment Questionnaire
With the cloud-based SAQ, you can scale and accelerate the third-party risk assessment lifecycle, including survey design, response monitoring, data aggregation and report generation.
SAQ automates tedious manual tasks, yields unparalleled accuracy and speeds up campaigns. It lets organizations quickly and precisely identify security and compliance gaps among third parties, as well as internally among its employees.
A new GDPR-specific questionnaire further simplifies an organization’s efforts to ensure their third parties are compliant with the EU regulation.
Here’s a snapshot of SAQ features and capabilities that can assist organizations with GDPR compliance efforts:
- Intuitive and flexible design of questionnaires and campaigns
SAQ’s wizard walks organizations through the creation of campaigns, and allows them to assign deadlines and configure notifications. Questions can have different formats, and can be configured to be dynamically shown or hidden based on one or more responses. Survey designers can require that evidence files be attached to certain answers.
Campaigns can be designed with different workflows. For example, a survey can be considered finalized once it’s been completed by the respondent, or extra steps can be required, such as an expert’s review and approval.
By simplifying the design of campaigns, and making it possible to tailor multiple elements of the questionnaires, organizations will increase the likelihood of receiving clear and well documented answers that accurately reflect a third party’s capacity to comply with GDPR requirements.
- Simplified questionnaire distribution
SAQ eliminates the need to set up user accounts, because it auto-provisions the surveys. Respondents complete surveys on browser-based forms, and can delegate questions they can’t answer. Administrators can trigger reminder emails to respondents, and set up recurring campaigns. These features will make the experience of filling out a questionnaire convenient for respondents, and give survey administrators the tools to make sure questionnaires are distributed and answered on a timely basis, all important elements for a complex regulation like GDPR, whose compliance verification process can be lengthy and taxing.
- Automated campaign tracking
SAQ captures responses in real time and aggregates them in one central management console. It displays charts that are updated in real time, and lets administrators drill down to individual survey responses, and slice and dice results, giving them more control and visibility into the process of assessing third parties’ level of GDPR preparedness.
SAQ also generates proof of compliance with detailed reports, and caters to a variety of users, including upper management via executive-level dashboards, and auditors with more detailed views of the data, all key constituencies for such a high profile regulation as GDPR.
Administrators can create custom dashboards and from the central console track and manage simultaneously multiple concurrent campaigns, staying in control of their progress.
SAQ lets you assign criticality levels to questions, and affix scores for answer options in the questionnaire templates. The question criticality scale is customizable with labels and answer weights.
When generating reports, organizations can filter by question criticality and answer scores to derive an overall risk score or identify high- risk areas. This helps your team zero in on potential problems with your third parties’ abilities to protect your customers’ data, which could in turn land you in trouble with GDPR regulators.
- Internal risk assessments
SAQ helps you make internal assessments through the review of process controls, policies and procedures for IinfoSsec and data classification and gathering. With SAQ, you can automate the entire process of data collection across your organization’s affected teams, and understand the location, user access and security controls for any personal data in your network, a key requirement for GDPR compliance.
- Assessments for all types and stages of vendor relationships
SAQ lets you quickly and easily design and deploy risk assessment campaigns for all types of vendor relationships, and for every stage in your contractual engagement.
This is key for complying with GDPR, which demands that “data collectors” know exactly who is processing their customers’ data, for what purpose, in what manner and with which protections and precautions. That includes any third party with access to that data, ranging from a large, multinational cloud computing provider you’ve been doing business with for many years, to a small contractor you’ve just hired.
- GDPR template
A GDPR-specific SAQ questionnaire template gives you a head start in your efforts to assess your third parties’ compliance with this regulation.
Let Qualys Assist You in Your GDPR Readiness Process
With SAQ, you can adopt a uniform, automated process — including design of questionnaires, distribution of surveys and tracking of campaigns — that every department in your organization can follow to do frequent and in-depth assessments of third parties’ GDPR compliance.
SAQ is part of the unified Qualys Cloud Platform, which has a number of integrated solutions that can also help you with GDPR preparedness by giving you the capabilities you need for IT asset tracking and visibility, vulnerability management, patching prioritization, and policy compliance.
Qualys gives you single-pane visibility of your risk both internally, and across third-party data processors, helping them maintain continuous visibility of your GDPR compliance state.
To learn more about how Qualys solutions can help you become GDPR compliant, visit qualys.com/gdpr where you can download our free guide and watch our webcast.
(Pushpak Pradhan is the Product Manager for Qualys SAQ)