Blog

Are your third parties a privacy compliance liability?

Exposing weak links across your supply chain to ensure data is secure

Katrina Dalao
Sr. Content Marketing Specialist, CIPM, CIPP/E
November 7, 2023

Integrating data privacy compliance and security
Third-Party Risk Management lifecycle overview
5 tips to reduce exposure to third-party risk
Prioritizing data privacy

With more data comes more responsibility. These days, organizations that collect, process, transmit, or store any personal data are finding themselves at the epicenter of a rapidly evolving landscape. Pressure is coming from all sides to ensure personal data is properly handled and protected.

Not only is there an increase of privacy and security regulations across jurisdictions, but 86% of customers in the U.S. are becoming more concerned about data privacy. “The general public’s awareness around the potential harm they could experience if their data is misused or abused has really never been higher,” says Chris Paterson, Director of Strategy, Third Party Management at OneTrust.

Maintaining data privacy and security within internal systems is already a challenge. But what happens when the data is out of your hands? The average organization works with 10 different third parties — and with every one of those third parties comes 60 – 90 times that number of fourth-party relationships.

That’s a lot of parties. But no matter who is holding your data, any breach or incident that takes place is ultimately your organization’s responsibility.

The shifts in privacy and security regulations, and how data flows throughout the third-party management (TPM) lifecycle, requires constant monitoring and oversight. How can you ensure your organization stays protected and compliant?

OneTrust Third-Party Management takes a data-centric and risk-based approach to increase visibility across your third-party engagements.

Integrating data privacy compliance and security

There are hundreds of laws, regulations, standards, and frameworks designed to help organizations properly handle data — and nearly all of them include some guidance on how to manage third parties.

“None of these frameworks just focus on an organization's own internal operations,” says Paterson. “They require each organization that's subject to the framework to impose those same standards and expectations directly onto their third parties.”

And this doesn’t only apply to data security. A substantial amount of privacy risk is also assumed whenever personal data is collected, transmitted, processed, or stored by third parties.

As a result, compliance now involves a delicate balance of both information security and data privacy standards. The following two frameworks have recently been updated to encompass both security and privacy risks:

ISO 27000 series: ISO 27001 was introduced in October 2005 as the first standard of the ISO 27000 series, designed to certify an organization’s information security policies. ISO 27701 came 14 years later, in August 2019, focusing on data privacy and balancing the recognized information security standard.
NIST standards: NIST CSF was first introduced in February 2014 as a set of guidelines, best practices, and standards designed to help organizations manage and reduce cybersecurity risks. The NIST Privacy Framework, which came six years later in January 2020, is a complementary framework that focuses specifically on managing privacy risks.

In the U.S., data privacy laws are also starting to ramp up. State-level regulations have already been introduced in California, Colorado, Connecticut, Iowa, Utah, and Virginia, as more continue to roll out across the country.

Overview of the Third-Party Risk Management lifecycle

Before diving into the specific data privacy strategies, let’s first walk through the third-party risk management (TPRM) lifecycle.

“Of course, one size does not fit all — every organization is going to have a little bit of a different flavor as to how they do this,” says Paterson. “But having worked with thousands of customers across the third-party management and privacy space, we've distilled this into five key areas organizations should be evaluating,”

Stage 1: Intake

The first stage focuses on centralizing the collection of all third-party information, which eliminates multiple entry points and potential blind spots further downstream.

Centralization can be accomplished through a single self-service portal, where employees request the addition of vendors, suppliers, or other parties, or as part of a contract lifecycle management or resource planning tool.

Implementing a self-service intake process gives organizations a head-start on gathering critical third-party information, including privacy certifications, engagement scope, and data types. This helps classify and prioritize third parties from the very beginning, based on their inherent risk to the organization.

Stage 2: Screen

The second stage is to screen and conduct due diligence checks on potential third parties. Some questions to ask during this step include:

How do we check to make sure this potential third party doesn't have political exposure?
How do we check for cases of anti-money laundering, anti-corruption, or bribery?

To answer these questions, organizations typically check third parties against sanctions lists, watch lists, or even media sources to identify issues that could pose a high-risk relationship.

In most cases, TPRM will go beyond data privacy and security. It’s important to look at all other types of risks, such as regulatory compliance, ethics, ESG, geopolitics, etc., that can have a potential impact on your operations.

The goal of this step is to uncover any risks associated with the third party and, if your organization still decides to pursue the relationship, to design an appropriate assessment and mitigation approach.

Stage 3: Assess

Out of the entire TPM lifecycle, the assessment stage is the most time- and resource-intensive. It’s also where risk management can be combined with privacy evaluations and other compliance concerns for a more holistic assessment.

Streamline assessments by leveraging dedicated tools that have built-in templates to address various risk domains, including privacy and compliance, data protection, cyber risk, and more.

A third-party risk exchange can also provide pre-validated information to help fact-check the information provided by the third party.

Stage 4: Review

Now it’s time to review all the third-party information and insights collected during the previous stages.

For instance, say a third party that’s under review demonstrates a mature security posture, but is just starting its privacy program. It can’t define whose data it’s collecting, the data elements being collected, and the purpose for data processing. This presents a significant privacy risk to your organization.

Based on these findings, stakeholders can now assign an appropriate risk score and criticality level, and determine the best approach for managing the particular third party.

Stage 5: Monitor

As new risks and regulations arise, and a third party’s scope of service evolves, ongoing monitoring is critical to maintaining a healthy relationship.

Effective third-party monitoring typically includes a routine of:

Assessing specific risk areas.
Setting a recommended assessment cadence.
Determining what to include in the questionnaire sent to each third party (based on the specific domains, business scopes, security and privacy compliance).

“In my experience, this stage is where a lot of organizations have a tremendous opportunity to improve efficiency — by automating the ongoing monitoring of third parties,” says Paterson.

5 tips to reduce exposure to third-party risk

As your organization continues to grow its third-party network, it’s necessary to establish a trusted process that identifies risk and reduces exposure across domains.

Here are some of the proven tips to maintain privacy and security compliance at every step of the TPM lifecycle:

Tip 1: Understand where your data is going

An organization may already manage hundreds or thousands of third parties. But when it comes to personal data, keeping tabs on third-party processes is not enough. You need to track how data moves from the third party to fourth party, to the Nth party, and so on.

For a complete understanding of where your data is going, ask potential third parties about the other parties they use. This is especially critical for complex operations, such as:

Cross-border data transfers, which often involves additional compliance requirements.
Third parties with a wide scope of multiple services, as each service may involve different types of data.
Additions or changes to a third party’s scope that require updates to contracts and assessments.

Build a model that can help teams visualize every step your data takes as it moves between parties (as shown below).

“If a third party is not willing to disclose how they collect and process data and they're not willing to come to terms with the purpose of processing you’ve set as part of that overall engagement, that’s definitely a privacy risk you have to look into,” says Ashwin. “Do your due diligence and be able to quantify the third party’s risk to the organization. At the end of the day, it’s a business decision you have to make as a team or organization.”

"If you don't ask, you'll never know. Many third parties will not disclose information about things like ultimate beneficial ownership unless they're directly prompted to disclose it."

Chris Paterson, Director of Strategy, Third Party Management OneTrust

Tip 2: Adapt workflows based on impact of risk

Not all third-party risks are created equal. However, many organizations send the same blanket assessment with thousands of questions to every one of their third parties.

The result? Assessment fatigue among the third parties that have to provide the information, as well as across the internal teams tasked to review each response.

A better approach is to assess third-party risks per domain. “Whether it’s privacy, security, or something else, a lot of organizations see success when they branch out their workflows and quantify risk in a way that actually helps understand the source of that inherent risk,” says Paterson.

By only asking what’s relevant to that particular third party, you create a considerably easier assessment process and deliver more accurate and precise responses.

Tip 3: Leverage contracting to break down silos

Contracting is one of the most critical elements to building a TPM program.

“What we tend to see in a lot of organizations is that the teams focused on contracting and the teams focused on data protection, security, and compliance work in silos. They often see each other as a hindrance to their own undertaking,” says Paterson. “But we should really think about how to integrate the concepts that ensure data from one side of the fence is being clearly translated over to the other.”

A comprehensive contract draws insights from all stakeholders. For example, contract lifecycle management will prioritize the third party’s contractual obligations. On the other hand, TPM will look at the types of risk and security controls, while privacy will focus on data protection and retention policies.

By ensuring that a third-party contract covers all these concerns, organizations are better able to mitigate the risks associated with third-party relationships.

Tip 4: Prepare for the unexpected

One of the most common mistakes in managing third-party risk is spending the majority of resources on evaluating and onboarding, and leaving very little for ongoing management. However, management is potentially the longest stage in the third party’s lifecycle and critical to mitigating risks in the long run.

Prepare your organization for the unexpected by building defensibility with your third parties. This can include a variety of activities:

Organizing all data in a single inventory, where privacy, security, and third-party teams can access and understand everything in scope.
Aligning stakeholders across teams to share insights that can help better achieve common goals.
Running a tabletop exercise with critical third parties to understand what would happen if they suffered a breach.
Reviewing any potential changes that may impact your organization’s risk exposure, and continuously refining established TPM practices.

"The main thing is to free up more time for TPM and privacy teams to engage directly with third parties throughout the lifecycle, rather than trying to frontload all of the risk identification components."

Chris Paterson, Director of Strategy, Third Party Management OneTrust

Tip 5: Identify areas for easy automation

As with any routine process, automation can greatly help streamline operations and reduce unnecessary manual effort. Here are key opportunities for automation at each stage of the TPM lifecycle:

Intake: Automate data collection through a self-service portal, which can be used by teams to request a new third-party service or view details for existing third parties.
Screen: Leverage automation to conduct initial due diligence, check against government sanctions and watchlists, and perform data analysis for every potential third party.
Assess: Implement workflow intelligence to automatically identify gaps or risks, trigger appropriate responses based on received inputs, and collect data to facilitate decision-making at scale.
Review: Automatically create and assign tasks to relevant teams to perform third-party reviews based on questionnaire responses and other collected data.
Monitor: Implement automated threat detection and alert systems that notify teams of any issues or changes in the third party's risk profile.
Analysis: Utilize data analytics tools to automatically identify trends across third parties and generate reports and risk analysis for stakeholders.

Prioritizing data privacy in third-party management

As organizations continue to increase their use of third parties — and subsequently, their overall data and risk exposure — it’s even more critical for privacy and TPM disciplines to work together. Privacy teams offer an additional layer of data protection to the existing TPM focus on risk, regulations, and security controls.

The tips outlined above can help align teams at every stage of your TPM lifecycle. By centralizing all third-party data and using automation to streamline the process, an integrated privacy and TPM program facilitates compliance, maintains trust, and ensures data integrity.

Reduce risk, build trust, and enhance business resilience by unifying third-party management across privacy, security, ethics, and ESG. Book a demo today.

Your partner in trust transformation

Privacy Matters

Our privacy center makes it easy to see how
we collect and use your information.

Your privacy

When we collect your personal information, we always inform you of your rights and make it easy for you to exercise them. Where possible, we also let you manage your preferences about how much information you choose to share with us, or our partners.

Blog

Are your third parties a privacy compliance liability?

Table of contents

Integrating data privacy compliance and security

Overview of the Third-Party Risk Management lifecycle

Stage 1: Intake

Stage 2: Screen

Stage 3: Assess

Stage 4: Review

Stage 5: Monitor

5 tips to reduce exposure to third-party risk

Tip 1: Understand where your data is going

"If you don't ask, you'll never know. Many third parties will not disclose information about things like ultimate beneficial ownership unless they're directly prompted to disclose it."

Tip 2: Adapt workflows based on impact of risk

Tip 3: Leverage contracting to break down silos

Tip 4: Prepare for the unexpected

"The main thing is to free up more time for TPM and privacy teams to engage directly with third parties throughout the lifecycle, rather than trying to frontload all of the risk identification components."

Tip 5: Identify areas for easy automation

Prioritizing data privacy in third-party management

You may also like

Third-Party Risk

Live demo: Building your third-party risk management program with OneTrust

Register for this live demo to learn more about OneTrust Third-Party Risk Management solutions.

July 24, 2024

Third-Party Risk

Protecting your reputation: 3 ways a unified third-party management program can help

This webinar will show you how to develop strategies for assessing reputational risks as it relates to third parties and the impact of third-party relationships.

June 12, 2024

Third-Party Risk

Third-Party risk management and due diligence: What's the difference and why does it matter?

In this webinar, we’ll discuss the unique competencies of third-party risk and due diligence programs and examine when and how to align them.

May 08, 2024

Third-Party Risk

5 Best practices for increasing resilience when working with third parties webinar

Learn how to leverage financial, operations, compliance, ESG, and cyber scores to drive resilience insights and detect possible supply chain disruptions.

April 18, 2024

Third-Party Risk

OneTrust third-party management demo video

Watch this demo video to learn how OneTrust third-party management helps organizations create resilient, secure, and scalable third-party ecosystems.

April 04, 2024

Third-Party Risk

6 steps to effective third-party risk management

See the path to managing third-party risk effectively with a checklist that outlines the six steps for a sound TPRM program.

March 29, 2024

Third-Party Risk

TPRM privacy compliance: 10 best practices when working with third parties

How can you build a privacy-focused TPRM program? In this webinar, we discuss best practices for privacy compliance when working with third parties, from onboarding to offboarding.

March 13, 2024

Third-Party Risk

6 must-know trends in third-party management

Watch this video for the five top trends shaping the third-party management industry this year.

February 15, 2024

AI Governance

Questions to add to existing vendor assessments for AI

Managing third-party risk is a critical part of AI governance, but you don’t have to start from scratch. Use these questions to adapt your existing vendor assessments to be used for AI.

January 31, 2024

Third-Party Risk

4 top-of-mind challenges for CISOs in 2024

What key challenges do CISOs face going into the new year? Download this infographic to hear what experts from industries across the board have to say.

January 30, 2024

Third-Party Risk

A look back at 2023 & third-party management trends for the new year

Join this webinar as we discuss key trends for third-party management and lessons learned over the last year.

January 24, 2024

Third-Party Risk

Live demo EMEA: Master third-party risk management with OneTrust

Attend this demo to see how our TPRM solution can help you identify and mitigate risk as well as automate manual and repetitive tasks to ultimately reduce the time you spend managing your vendors

January 23, 2024

Third-Party Risk

Utilizing inherent risk for more efficient third-party management

Insight into your third parties’ inherent risks can change the way you run your TPM program.

November 30, 2023

Third-Party Risk

Elevating third-party safety: The art of TPRM and TPDD integration

Join our webinar to learn the primary goals of successful Third-Party Risk and Third-Party Due Diligence programs.

November 21, 2023

Ethics Program Management

Ethics Exchange: Risk assessments

Join our risk assessments experts as we discuss best practices, program templates, and how provide an assessment that provides the best value for your organization.

October 25, 2023