In its simplest form, a data map tells you what data you have, how it’s used, where it goes, and who has access to it. This information is invaluable for any third-party risk program. Many OneTrust customers have a head start in this department, having spent time building out a data map to comply with new laws such as the General Data Protection Regulation (GDPR). This work should and can be used to better your third-party risk program, offering you the vendor insights you need to reduce risks.
1.Add an Additional Layer of Risk Detail to Your Data Map
With the context that vendor risk assessments provide, you can add an additional level of risk detail to your data map. The business context outlining how a vendor is used may alter how risks are scored and treated.
For example, Vendor A may store hundreds of thousands of your customer’s email addresses, while Vendor B houses no personal data. However, this can change based on how your team uses each vendor over time.
By making your data map a critical piece of your third-party risk program, you can track the business context and adjust risks according to how each vendor is used. With this understanding, you can also confirm that the right contracts and data processing agreements (DPAs) are in place (and in scope) to cover your vendor engagements. Additionally, integrating your data map into your third-party risk program may help your company identify duplicative systems, where one vendor could be used instead of three – therefore reducing complexity, costs, and risks.
2.Respond to Incidents Faster with Added Intelligence
Should a third-party vendor suffer a data breach, an integrated data map can identify affected individuals, show you how the vendor is being used, and help you pinpoint related systems. This helps your team properly investigate the incident, helping you understand what’s required to meet local breach notification obligations.
3.Generate More Robust Reports and Visualizations
While many people may view a data map as a way to understand how data is used internally, it remains essential to track third-party information as well. By integrating third-party vendors into your company’s data map, you have the ability to create visual data flow and lineage diagrams. These diagrams show where and what data is flowing outside of your organization, as well as how that data is used.
Additionally, an integrated data map makes maintaining Article 30 records of processing activities simpler (for GDPR compliance). Third-party risk assessments help you keep your Article 30 records of processing activities up to date.
4.Keep Your Data Map Evergreen with Up-to-Date Vendor Information
Vendor risk assessments, along with information gathered from a third-party risk exchange like Vendorpedia Exchange, can help populate your data map with detailed information about the assets and services your company uses. Many OneTrust customers use the OneTrust Vendorpedia Platform to auto-add controls, certificates, and other information to the assets in their data map. This information is retrievable directly from Vendorpedia Exchange and eliminates the time-consuming task of unearthing this information through traditional research and assessment methods. What’s more, Vendorpedia Exchange is constantly kept up to date, enabling you to automatically sync any vendor changes to your data map.
5.Streamline Monitoring of Assets, Processes, and Vendors All Under One Roof
OneTrust Data Inventory & Mapping technology and the OneTrust Vendoredia Platform work seamlessly together to provide you with 360-degree vendor visibility. Together, these tools centralize critical information, and by doing so, add business context that helps third-party risk, security, privacy, IT, legal, and other teams work together in pursuit of a common goal: risk reduction and compliance.
Request a demo today or contact your OneTrust representative to learn more about how the OneTrust Vendorpedia platform can help your company manage third-party risks and build a more complete data map.