3rd Party Risk Management GDPR

1. 3rd Party Risk Management- GDPR
GDPR summit RDS - May 30th 2018

2. Partners in
Supplier
Management
Solutions
We are trusted advisors and partners for developing and implementing world-class
sustainable 3rd Party solutions
Brian is Executive Director of Verego and CEO of Clearstream Solutions, a
leading independent supply chain consultancy which he founded in 2008.
Clearstream’s services help its clients to manage and report supply chain
sustainability and compliance. Current global clients include Microsoft,
Symantec, Honeywell, Verego, Teleplan, Arvato, Veritas and Vodafone.
Brian has 25 years’ experience in global supply chain management,
particularly in the areas of Electronics, Media, Print & Packaging. He has a
degree in Economics from Trinity College, a Certificate in Sustainable
Management from BSI Group and is currently studying the Circular
Economy at TU Delft.
Introducing Clearstream and Partners
Anne Quinn, Clearstream Associate, recently completed a 17-year career at
Microsoft, where she led global programs in Global Operations, Customer
Service and Support, Finance, and Procurement. Most recently, Anne was the
Director of Supplier Risk Management & Compliance and drove supplier
compliance to Microsoft's Privacy and Security requirements, including a
GDPR readiness program. She also launched a revised Supplier Code of
Conduct Training Program for 40,000+ suppliers, and managed Procurement’s
Anti-Corruption Vetting program. Anne has recently earned the ANSI-
accredited Certified Information Privacy Professional/Europe (CIPP/E). Anne
will be utilizing her extensive experience to provide consultancy to companies
on 3rd party risk management under GDPR

3. • Clearstream Solutions is a leading supply chain and sustainability services solution provider.
• We assist organizations to measure and implement best-in-class sustainable practice in their
businesses, products and supply chains.
• Our solutions deliver tangible, measurable savings for our clients who include some of the leading
private and public sector organizations in Ireland and around the world.
• Clearstream also provides consultancy services and tools to help our clients implement
Responsible Sourcing programs in their Supply Chains and Outsourcing operations (Verego)
• Clearstream has won a national Green Award and an Envirocom Award. We also won first place in
the last Dublin Chamber Sustainable Business Challenge. We are the local Ireland partner of CDP
global.
About Clearstream Solutions

4. Some Clients:

5. 3rd Party Risk Management and GDPR

6. Face Book-Cambridge Analytica Data Breach
“Cambridge Analytica Exploited the Facebook Data of Millions”.
Up to 87 million people impacted by Facebook data breach!

7. 3rd Party Relationships/Risks
The frequency and scale of third party use has increased
Third party service providers are the most likely source of data breach,
implicated in over 60% of all incidents
Relationship Maturity Indicators and Lifecycle Management can help to
mitigate risk
There is now
increased
regulatory focus
on how
organization's are
managing 3rd
parties
Decreased Risk
Increased Risk

8. Enhanced personal privacy rights
Increased obligations for protecting data
Mandatory breach reporting
Significant penalties for non-compliance
The General Data Protection
Regulation (GDPR) imposes new
rules on organizations in the European
Union (EU) and those that offer goods
and services to people in the EU, or that
collect and analyze data tied to EU
residents, no matter where they are
located.
The General Data Protection Regulation
The GDPR has specifically called out the controller/processor relationship responsibilities

9. GDPR– Article 28 Controller/Processor Relationship
Definition of a processor: ‘processor’ shall mean a natural or legal person, public authority,
agency or any other body which processes personal data on behalf of the controller
The intention of Art. 28 is to flow down the security principle and the security requirements into
the processor’s organization and through the supply chain to sub-processors

10. GDPR– Article 28 Controller/Processor Relationship
Regardless of the allocation of responsibility in supplier contracts, data
subjects are entitled to enforce their rights against both the data
controller and the processor(s)

11. ✓ Identify 3rd party personal data
handling -highlighting special
categories of personal data
✓ Conduct risk analysis -
severity/probability model
✓ Update 3rd party contracts to
ensure compliance to your
company privacy program/GDPR
✓ Consider Supplier GDPR
compliance attestations
✓ Vet new suppliers - walk away if
not GDPR compliant!
Immediate
▪ Create supplier pre-selection
due diligence program
▪ Ensure contract templates are
valid and up to date
▪ Develop supplier assurance
program (assessments/audits)
▪ Closed loop corrective action
▪ Internal awareness/alignment
across the organization
▪ Ensure demonstrable intent in
relation to supplier program
Futureplans
GDPR – What do I need to do?
What constitutes “sufficient guarantee” and how can this be measured?

12. VEREGO: Your Partner in Assessing Third Party Risk - Due Diligence
Our
Platform
We
Assess
We
Review
▪ Online Supplier Reporting Platform
▪ Transparency for both Suppliers and Buyers
▪ Immediate communication and information exchange
▪ Reporting Capabilities contained within Platform
▪ Demonstrates Due Diligence
▪ Option for response Review by Independent 3rd Party
Streamlined
Supplier
Assessments
Ongoing
Excellence
in Data
Protection
Framework for
Ongoing
Management
▪ Standardized Questionnaire available or optional
customized buyer GDPR Assessment
▪ Assessment Report on Performance and Risk

13. Compliance dashboard
The compliance dashboard
enables the Buyer to track
Suppliers as they register
and publish GDPR
information through
SupplierPortal.
All statistics are dependent
on the chosen settings,
meaning the compliance
status of your suppliers can
be analyzed and reported at
anytime.

14. Questionnaire analysis (option 2)
The questionnaire analysis
dashboard enables the
Buyers to track the
completion rate of all the
questionnaires, including
GDPR.
The flag status shows if
suppliers have triggered risk
flags in any of the
questionnaires.
By clicking on individual
questionnaires, Buyers can
see the status of each
supplier and if any flags
have been raised.

15. View supplier GDPR responses
Each supplier profile
contains multiple tabs of
information for that
supplier.
GDPR responses can be
reviewed and scored, and
supporting documents
downloaded.

16. Risk flags
Flags are set for high risk
GDPR non-compliance
issues.
When a supplier publishes
their response, users are
alerted if any flags have
been raised.

17. Performance scorecards
Through the GDPR
scorecard a suppliers
performance can be
calculated in relation to
other suppliers.

18. GDPR Audit – Due Diligence to identify GAP
GDPR data audits provided
standardised review of all
supplier responses.
PDF versions of audits are
available for distribution,
and a database of all
historical audits is held in
the system.
If required, third parties can
be given access to
designated suppliers for
more detailed
auditing/review.

19. DCU Alpha Campus
Old Finglas Rd, Glasnevin
Dublin 11
Phone: +353 1 297 3390
Web: www.clearstreamsolutions.ie
brian@clearstreamsolutions.ie