March 7, 2023
Why data privacy and third-party risk teams need to work together
6 Min Read
In today’s interconnected business environment, every company relies on an ecosystem of suppliers, vendors, and service providers. These third-party relationships can drive business value, but they also create risk. That’s why companies are increasingly designating third-party risk management (TPRM) teams to assess and mitigate third-party risk across the business.
Third-party risk can lead to data breaches, supply–chain breakdowns, adverse media, and other events that cause reputational damage to the company. CEOs and other senior executives need visibility into these risks at the organizational level, and a unified TPRM strategy can provide it.
Even in instances where a dedicated TPRM team oversees risk across a company, other teams still have a role to play. In fact, business leaders such as the Chief Privacy Officer should encourage collaboration and information sharing between their teams and the TPRM team. It’s mutually beneficial for privacy teams and TPRM teams to collaborate, as both teams will be able to share information and insights that can help the other achieve their common goals.
Companies of all sizes are quickly pivoting from third-party risk management to holistic third-party management. Learn more about the shift in this eBook.
How does third-party risk impact the privacy team?
Many times when your organization collaborates with a third party, you give up some degree of control over your data – including your customers’ sensitive personal data. Your organization is ultimately responsible for how third parties handle that data. Any form of data breach damages the company’s reputation, even if the third party is ultimately at fault.
The same can be said for compliance requirements. Many data privacy regulations – including the General Data Protection Regulation (GDPR) in Europe and state-level regulations in California, Colorado, Connecticut, Utah, and Virginia – include requirements related to third-party risk, which means all organizations could be held legally responsible if their third parties aren’t handling sensitive information properly. To demonstrate compliance with these requirements, businesses need effective collaboration between the data privacy and TPRM teams.
For example, many data privacy regulations include a requirement to honor “do not sell or share my data” requests. This requirement applies to both controllers – the organizations sharing the data – and processors – the third parties that handle data on behalf of the controllers. To ensure that all processors honor these requests as they come in, data privacy teams need to know which third parties have access to customer data and how they’re using it. In short, data privacy teams and TPRM teams need to be on the same page.
To protect against risk and address the challenges mentioned above, data privacy teams use a process called data mapping to gather the insights they need to answer key questions about their data, including:
- Who is the organization sharing data with?
- What data is the organization sharing, and for what purpose?
- Where is the data going? If it’s being transferred across borders, that could create additional compliance challenges.
- What privacy controls are third parties using to protect the data as it moves?
Data mapping can be complex and time-consuming due to the extremely high volume of data organizations handle from many different data sources. The good news is that very few privacy teams are starting from scratch. Privacy laws that require data mapping have been in place for several years now. For instance, it’s very likely that any company that does business with citizens of the European Union already has a data map in place, since they would have needed to create one back when GDPR first took effect.
Privacy teams can share their data maps to help inform the work the TPRM team is doing. For example, it can be very helpful for the TPRM team to know what processing activities third parties are engaged in. When a single third party owns multiple services, the business may have multiple engagements with that third party, with unique data-processing activities for each service. This kind of complexity can be difficult for the TPRM team to keep track of. Once again, the privacy team can help them do so by sharing information from the data map.
How can third-party risk teams help privacy teams?
Just as the privacy team can support the third-party risk team by sharing the data map, TPRM teams can help privacy teams by sharing information from their third-party inventory. Most TPRM teams already have a complete inventory of the third parties the organization currently works with, and they’ll continue to update that inventory any time they onboard new third parties.
The inventory includes information gathered during the initial due diligence, assessment, and monitoring phases of the third-party risk management lifecycle. Some of this information, such as details about what data protection and cybersecurity safeguards a particular third party has in place, could be directly beneficial to the work that the data privacy team is doing. Sharing that information freely helps both teams work toward their common goal of mitigating third-party risk.
Many of data protection laws require organizations to perform privacy risk assessments – also known as privacy impact assessments (PIAs). Performing a PIA helps the privacy team understand where the organization may be placing customers’ sensitive data at risk and create a strategy to mitigate that risk. The privacy team can use data and insights sourced from third-party risk assessments to help inform and streamline their own risk assessments.
Finally, the TPRM team can take the lead on automating privacy workflows. In addition to streamlining third-party onboarding, workflow automation can help ensure ongoing collaboration between the TPRM team and the data privacy team. For instance, any time an automated third-party review indicates that a particular vendor may not have adequate data privacy protections in place, the workflow can be set up to automatically share that information with the data privacy team, ensuring that they know about the potential risk as soon as it’s identified.
How can OneTrust help?
OneTrust Privacy Management can be used alongside OneTrust Third-Party Risk Management \to create a unified platform for managing privacy and third-party risk. By enabling effective collaboration between the two teams, the OneTrust platform helps all team members get the insights and information they need to truly understand the vulnerabilities facing the organization, take the necessary steps to ensure compliance with hundreds of privacy regulations from around the world, and continue building trust and transparency with customers.
To see for yourself how OneTrust can help your organization manage third-party risk, request a one-on-one demo today.