November 18, 2022
What every Chief Privacy Officer should know about third-party risk management
6 Min Read
Every enterprise has numerous business relationships with third parties, such as suppliers, vendors, and service providers. Effectively managing these relationships requires accounting for every aspect of risk – including data privacy. This is a primary responsibility of the Chief Privacy Officer (CPO).
Typically, CPOs track risk via a process called data mapping, in which data is discovered, assessed, and tracked as it flows throughout the organization, including to third parties. In this way, the CPO determines not just the nature and sources of the data, but also the potential risks associated with it – to the organization itself and to its customers.
For instance, if a third party with access to your organization’s sensitive customer data has inadequate information security controls in place, your business could suffer a data breach. The resulting customer data exposure has consequences, including loss of trust from customers and penalties for failing to comply with applicable data privacy regulations. For this reason, CPOs must be conscious of regulatory requirements, and how third parties may be putting them at risk of not meeting those requirements.
An organization that shares its personal data with third parties is known as a controller, while a third party that handles personal data on behalf of the controller is known as a processor.
Companies of all sizes are quickly pivoting from third-party risk management to holistic third-party management. Learn more about the shift in this eBook.
All US state privacy laws have certain obligations for processors. They must enter into a contract where the controller defines instructions for processing data, the nature and purpose of processing, the duration of processing, and the rights and obligations of both parties. This means the onus is on the CPO to create a contract that protects the organization while holding the processor accountable.
3 third-party risk challenges for privacy officers
CPOs face three basic challenges in the fulfillment of their charters:
- Overcoming complexity in data mapping
- Honoring “do not sell or share my data” requests
- Demonstrating regulatory compliance
First, data mapping is certainly a great way to start minimizing privacy risks involving third parties. But it may not be immediately clear to CPOs how best to establish data mapping.
Consider that most organizations must manage a tremendous volume of data, of many types, stemming from many sources. That data also has varying levels of complexity, utilization, and importance to operations and services. Even if it can all be discovered and tracked, there are still the underlying questions of what class of data it is, how the organization is using it, and what steps the organization is legally required to take to protect it and safeguard the transfer of data across borders?
Second, as a consequence of relatively new regulations pertaining to consumer privacy, organizations must be careful that data is not sold, shared, transmitted, or copied inappropriately. Ensuring compliance requires effective third-party risk management. For instance, if a customer requests that an organization stop sharing or selling their data, then both the organization and its third parties must comply with that request. To enforce this, the organization must understand which data is accessible to which third parties, and how those third parties process and use that data.
Finally, it’s never enough to simply achieve compliance with regulations. It’s equally important for organizations to demonstrate that they’ve achieved compliance. This means being able to respond quickly to a government audit, or to address concerns that customers or business partners may have pertaining to data privacy. Failing to demonstrate compliance can lead to heavy fines and operational penalties, problematic public relations, and ultimately, diminished customer satisfaction and market share. In contrast, successfully demonstrating compliance has many benefits, including building trust with customers.
3 third-party risk best practices for privacy teams
Just as there are three primary challenges involved with third-party risk management for privacy, there are also three best practices that can help CPOs optimize outcomes:
- Align workflows across business siloes
- Link third parties to the data map
- Use a solution that helps scale privacy
First, don’t operate in a vacuum. In most larger organizations, the privacy team will be part of a wider third-party management group that includes business units such as security, ethics, and environmental, social, and governance (ESG). Those other teams can and should play a key role in helping the privacy team – just as the privacy team can symbiotically help them by sharing information where it’s pertinent. For instance, if privacy is looking for information about a particular third party, security may already have it and be able to share it, thus removing the need to go back to the third party with another questionnaire.
Second, be sure to integrate third parties into the holistic data map. This will make it clear which data sets are moving where, and for what purpose. From this, CPOs can gain a better understanding of how that data movement could impact business resilience, data security, and regulatory compliance. This information is foundational to any successful privacy risk mitigation strategy. Therefore, it must be accurate and updated frequently as new third parties are added and new regulatory requirements arise.
Privacy risk assessments, commonly known as PIAs, are now required under certain criteria for the processing of personal data in all new state laws. Learn more about the impact in this webinar.
Finally, leverage the best available tools for the job. Too often, organizations try to improvise a data mapping and privacy strategy via ad hoc tools such as spreadsheets, email, or hastily constructed databases. Because these tools weren’t purpose-built for the complex job of data mapping, they’re unlikely to deliver the best results. It’s essential to use dedicated solutions with a comprehensive feature set, so that the full strategy can be visualized and implemented at a granular level, modified to address new requirements, and used to generate the right records at the right time (such as those needed to satisfy an auditor).
Where does automation fit in?
Automation is enormously helpful for third-party risk management because it helps remove the potential for human error while also accelerating processes and simplifying cross-domain integration.
Automated workflow management, for instance, can align workflows, ensuring consistent execution across teams and organizations. Automated assessment, reassessment, and risk-flagging can bring a high-risk scenario to the attention of relevant team members before it causes problems.
Additionally, automation benefits and outcomes can:
- Generate top-line revenue by enabling more efficient onboarding and management of third parties that help drive revenue
- Build resilience into third-party workflows and management
- Establish buy-in across the organization, leading to business continuity, faster vendor onboarding, and faster time to market
Similarly, an automated third-party review can help an organization determine whether a particular third party is taking appropriate steps to ensure data privacy. Record-keeping and record-generation are great candidates for automation as well – and are both directly applicable to meeting compliance challenges.
How can OneTrust help?
OneTrust Privacy Management works hand-in-hand with OneTrust Third-Party Risk Management to create a unified privacy and third-party risk management platform that helps build trust and transparency, while complying with hundreds of data privacy laws from jurisdictions around the world. To see OneTrust Privacy Management in action, request a one-on-one demo today.