​GDPR and the cloud: How to manage suppliers in a changing world

Regulation and technology changes are making life even more complicated.
Written by Mark Samuels, Contributor

Video: Which industries are falling behind as GDPR deadline looms?

Technology decision-makers face a tough task governing the ecosystem of partners that surrounds the modern digital business. Alan Roger, senior analyst at researcher Ovum, says the complexities associated with vendor management continue to increase.

"IT leaders must deal with a range of disparate partners," he says. "In many cases, the internal skills aren't available and technical resources reside outside the enterprise. The added concern of compliance means vendor management is a significant challenge."

Roger joined an expert panel at an RSA Security event on risk in London recently, where the concerns associated to third-party arrangements, especially given the forthcoming launch of the General Data Protection Regulation (GDPR), were discussed. Experts at the event suggest executives looking to excel in vendor management must focus on three key areas: policies, assessments, and contracts.

Putting effective processes and policies in place

Raef Meeuwisse, governance expert at ISACA, has run supplier audits at blue-chip firms and created auditing frameworks for major businesses. He believes senior management should view GDPR as a policy and process issue. Executives with the right procedures in place will be fine. The bad news, however, is evidence of such preparedness is limited.

"Many organisations are struggling, especially when it comes to hooking into and evaluating the risk of third parties. GDPR sets up some great principles, like privacy by default and design. But the regulation also requires substantial process re-engineering," says Meeuwisse.

Download now: Data classification policy

He says many organisations take a different view of risk when they move beyond the corporate firewall. Internally, senior managers lay down strict rules and regulations regarding which tools and configurations employees use. With third-party partners, executives can only create contracts, set objectives and then hope targets are met.

"Savvy companies extend contracts beyond the enterprise and consider data management from the request-for-proposal stage," he says. "If you do that, you'll have the right audits and controls by default and design." Once again, however, evidence of such provision is limited. Worse still, CIOs and their C-suite peers encounter other challenges.

Meeuwisse says many companies engage cloud providers because they lack expertise internally, but he said CIOs must find ways to stop being over-reliant on external partners.

"Put compliance and security in at the point of contract, rather than as an afterthought," he says. "Your valuable information should define where you set risk, security and compliance. You must think about the value of information you're putting into the cloud. Not all cloud platforms are the same in terms of risk."

2. Creating strong assessments of third parties

Javier Sanchez-Ureta, data office director at financial services organisation Banco Sabadell, says his first instruction from the CIO on joining the bank in 2016 was to help improve the firm's vendor oversight. During his time in situ, Sanchez-Ureta has helped the firm establish a range of best practice approaches.

He says the highly-regulated nature of the finance industry means some processes, such as credit control, can't be outsourced under any circumstances. Sanchez-Ureta says other CIOs in other industries must also assess what services can and can't be run externally.

"Analyse what you want to outsource and establish whether its core to your business," he says. "Investigate the different vendors you have in your environment. Analyse the risks of each supplier and evaluate these concerns prior to building a relationship. With the help of our lawyers, we have strict rules in our contracts."

While the processes and polices at Banco Sabadell are tough, Sanchez-Ureta says every vendor has an opportunity to potentially work with the firm. His team assesses each vendor on a case by case basis. Incident responses strategies are key and an in-house cyber-intelligence team works with vendors to ensure new challenges are considered.

Special report: Tech budgets 2018: A CXO's guide (free PDF)

"We have also built a vendor risk assurance office and we evaluate and classify all external suppliers to the business from most to least critical. Our audit team can run three types of audits against suppliers. And we also have remote assessments, where we request evidence," says Sanchez-Ureta, suggesting efforts to keep on top of risk management remain a work in progress.

"You have to keep on top of your vendors -- and the resources you need to do that is a challenge. The board must be aware of the risk of having vendor partners. You also need a tool that allows you to see the full picture of your vendors, so that you can report concerns and results to the board."

3. Developing contracts that keep your business covered

However, Anthony Lee, partner at law firm DMH Stallard, says the kinds of tight policy enacted at Banco Sabadell are far from commonplace. He suggests some firms could be caught out by the impending GDPR deadline. "My sense is a lot of contracts aren't going to be ready and there will be issues when the regulators come knocking," he says.

Lee says GDPR creates fresh concerns for CIOs and their vendor partners.

"There's a big focus on fines but the regulator can stop data processing taking place," says Lee. "If you're reliant on a provider that holds your data, and the regulator puts the shutters down, they could in effect stop your business trading. So, in many ways, the fines could be the least of your concerns."

CIOs should note an added layer of complexity. Lee says many modern cloud contracts for IT provision involve both prime- and sub-contractors. This interdependence between suppliers creates a significant amount of overlap between suppliers, creating fresh issues under GDPR regarding the handling of data by third-party organisations.

"No cloud provider can sit behind a sub-contract - they must create contracts that are fit for purpose," says Lee. "The penny has dropped when it comes to shared responsibility from the big providers. But there is a lack of maturity when it comes to cloud contracts from smaller providers. For CIOs, the ability to change terms and conditions on notice isn't great if your data is being held by a less mature provider."

He says IT leaders must concentrate on three considerations as they push data to the cloud: the right of the vendor to process information; the security and technical measures at the provider; and the ability to audit third-party facilities and delete data on demand. "There are challenges but, if you work with a major cloud provider, they're livelihood depends on ensuring the rules are covered," says Lee.

Recent and related coverage

GDPR: These are the organisations which are least prepared

With under four months to go until the new data protection legislation is enforced, some of the organisations most reliant on using personal data aren't ready for the new rules.

Five things you need to know about GDPR

Video: What new data rules mean for you and your business.

Vendor Security Alliance tweaks auditing system to be GDPR compliant

The non-profit alliance has added GDPR compliance to its yearly vendor auditing system and announced it will be taking on new members for the first time.

GDPR: Deadline looms but businesses still aren't ready

The UK government is warning organisations that they must prepare for new data protection laws now -- or face the consequences when they come into force.

Despite looming deadline, ICANN still has no plan for GDPR compliance(TechRepublic)

ICANN is struggling to find a workable temporary solution to address the imminent EU privacy regulation.

Editorial standards