The last two years have taught us that conventional wisdom and knowledge around privacy and security needs a makeover, in particular as it relates to the EU’s GDPR and the California Consumer Privacy Act. Data controllers and businesses, the entities responsible for what happens to personal data under GDPR and CCPA, respectively, are subject to new obligations that place significant organizational risk squarely on their shoulders. Though compliance issues can come from many places, one often-overlooked impact is managing processor/third-party risk.
Third parties (aka processors in the GDPR or information recipients in California law) are critical to organizational operations, from cloud hosting to payroll administration and processing. They hold customer, partner, employee, and confidential data that is the lifeblood of organizations, and we can’t run without them. While many third parties strive to be good stewards of their customers’ data, we find ourselves in a time where trust and good-faith efforts aren’t going to pass muster anymore.
Under the GDPR, CCPA, and other regulations, controllers need to hold their vendors contractually responsible in regards to specific obligations for how data is handled through data processing agreements and other measures, and as always, “trust but verify” that the vendor is acting accordingly. By extension, this includes our vendors’ partners as well, when fourth parties are involved.
Along with contractual measures, controllers need to assess, test and review a vendor’s ability to adequately safeguard the data they are transferring through product, personnel, and organizational protection mechanisms. This also requires that they pass the same data protection expectations downstream.
All of this due diligence should, at all times, be centrally documented and maintained. In the event of an incident or breach, controllers must be able to demonstrate a reasonable and defensible process for vetting third parties, including providing results of their assessments of vendors' practices and commitments to data protection, to help mitigate risks of liability. This also includes identifying potential risks of doing business with a particular vendor, taking actions to mitigate those risks, and continually managing vendors based on the scope and sensitivity of the data they process.
Now, chances are your organization has already taken steps to ensure proper actions are taken. For organizations looking for continual process improvement (CPI) and formal action plans, here’s a sample Vendor Risk Management lifecycle to consider:
This lifecycle is a roadmap to operational Vendor Risk Management that includes:
- Establishing a baseline for new vendors to benchmark associated risks (done during the evaluation and procurement process);
- Mitigating risk down to the lowest possible level and using that analysis to set a cadence for vendor review frequency;
- Documenting all aspects of vendor due diligence, including services agreements, privacy and security risk analysis, data processing agreements, vendor contacts, and internal owners; and
- Reviewing all vendors periodically to ensure agreements and relationships are maintained with appropriate controls in place, including based on regulatory guidance, as renewals or new services may be rendered.
Organizations should also incorporate privacy/security by design into vendor onboarding practices by integrating with procurements processes to take advantage of work being done today. This could include an early screening to determine if further privacy and security due diligence will be required – based on what services are being rendered – and how they’re delivered.
Editor’s note: For more resources related to GDPR, visit www.isaca.org/gdpr.