The Identity Blog

Background image

EU’s General Data Protection Regulation (GDPR) and 3rd Party Identity Risk

The EU’s General Data Protection Regulation (GDPR) requires that organizations properly protect their EU customers’ personally identifiable information (PII) and know where every piece of that data is stored, where it came from and with whom it’s being shared with.

GDPR extends your organization’s responsibility for its customers’ PII to the third parties with whom it shares this data. Organizations can have hundreds to thousands of relevant third parties.

In other words, if any members of your network of trusted third parties — vendors, partners, contractors, consultants, outsourcers, etc., acts negligently and your customers’ PII is compromised, you’re also liable for penalties and fines.

When it comes to GDPR, you don’t want to be penalized, as fines can total up to 4% of a company’s annual revenue, or €20 million, whichever amount is higher. To put this in context for the Global 2000 (which have revenues between $1.6 Billion and $171.1 Billion according to Forbes), this means fines could potentially amount to between $64 Million and $6.84 Billion!

You must not only protect customer data within your IT environment, but also ensure that the processes and practices of your third parties are also compliant with GDPR requirements.

“Third-party vendors have been fingered as the weak link in the chain in recent security breaches. When it comes to identity and access management (IAM), and safeguarding enterprise systems and data, information security professionals can no longer ignore that there are non-employees who – because of the nature of their work – must access sensitive corporate data and systems. Yet these same firms, and their employees, are in many ways beyond the direct control of the enterprise security team.” -Michael Cobb, TechTarget Report, Developing an IAM strategy for third-party vendors

Many companies are placing trust in third parties without a proven means of managing, controlling, and monitoring the access that these entities have. Vendor Risk Management solutions are one way of addressing the problem, but they do not factor in the issue of 3rd Party Identity Risk.

The Bomgar 2017 Secure Access Threat Report uncovered that data breaches, through third-party access, are widespread. “As the vendor ecosystem grows, the function of managing access for vendors will need to be better managed through technology and processes that provide visibility into who is accessing company networks, and when, without slowing down business processes.”

SecZetta has a modular suite for 3rd Party Identity Risk and Lifecycle Management. Click here to schedule a demo.