Forty years ago, it wasn’t uncommon to see large groups of kids run around unsupervised. No kid had a cell phone or a home computer with access to weird internet sites.
Just good old-fashioned fun, a la The Goonies.
However, the world is different than it was forty years ago, and parenting trends have changed to reflect that.
New technology has created new expectations for how we monitor our kids. You want to know where your kids are and who they’re (really) with. You want to make sure they’re safe. You want to look up other parents on social media and get a vibe check before you OK sleepovers.
risks- isn’t that different.
Twenty years ago, you might have handed over your data to a third-party vendor without much thought.
Now, just like parents planning for a kid’s sleepover with a new family, many businesses have to weigh the risk of exposing their data to risky third-party behaviors or practices.
Luckily, similar to the advent of GPS tracking and text messages for parents, there are ways for businesses to minimize the risk of sharing their data with third parties.
Why should businesses care about how third-party vendors use their data?
You are responsible for your company and consumer data. Each vendor you bring on board increases the risk of a data privacy or security breach. Entrusting third-party vendors with your organization’s data can significantly heighten your risk exposure. Security Magazine reports that a staggering 52% of data breaches are attributed to third parties.
For many businesses, protecting consumer data from third-party risk is required by law. Privacy regulations in states like California, Colorado, Connecticut, and Virginia, not to mention the EU’s GDPR, require that businesses assess and manage the risks associated with their vendors who handle personal data.
If it is found that your company failed to perform vendor assessments or properly mitigate risk associated with third-party engagements, you can be held liable for acts committed by a third party with data from your company. The consequences can range from fines and fines to reputational damage to potential legal action.
Third-Party Risk Management Guide
Check out our Third-Party Risk Management Guide for tips and practical guidance you can implement right away.
Five steps to protect your business from vendor risk
Each business will have its own unique data privacy concerns. Still, a four-part process can break down the risk minimization process from a huge, overwhelming task to more manageable steps.
1. Establish internal data governance
First, you need to get your own house in order. That means figuring out what you’re doing with data before anything else. In other words, you need internal data governance.
Data governance is a nuanced topic, but in general, it boils down to:
- Data quality: Is your data accurate? Consistent? Reliable?
- Data stewardship: Who is responsible for data and ensuring its quality?
- Data protection and compliance: How are security and privacy upheld? How is compliance managed?
- Data management: How is data handled, stored, retained, and (in general) managed across its lifecycle? What kind of data-related workflows are needed?
To establish internal data governance, you should complete an internal data processing review to:
- Figure out which privacy regulations apply to you.
- Run a comprehensive data inventory to assess how you collect, use, and store consumer data.
- Update your privacy policy and notice to meet compliance requirements—and best practices.
- Define system requirements.
- Create an incident response plan.
Once your data privacy practices are down, you can move on to minimizing vendor risk.
2. Identify potential vendor risks
Depending on your field, your vendors may be required to meet specific standards. For example, if you’re in the medical field, your vendor should be HIPAA compliant. If you’re in the financial industry, your vendor should meet OCC guidance and PCI compliance, among other things.
Work with your legal and IT teams to define:
- What data privacy laws apply to your company?
- What company data is protected under data privacy and security laws?
- What requirements must your vendors meet under applicable privacy laws and regulations?
From here, you can specify specific requirements each vendor must meet to protect your data.
Note: not all third parties will be held to the same data privacy regulations. A third party under the GDPR differs from a service provider under the CCPA. Each regulation may have different thresholds and requirements for vendor risk mitigation.
3. Assess vendor risk levels
Ask any kid with a preferred parent to tell when they get a bad grade: not all risk levels are the same. The same goes for vendor risk profiles. Some vendors pose a more significant privacy threat by bringing them into your operations.
That’s why a vendor risk assessment is critical.
How to do a vendor risk assessment
Your vendor risk assessment should be a standardized process that occurs with every new vendor and annually for ongoing vendor relationships. It includes:
- Vetting and due diligence
- Risk level identification
For ongoing vendor relationships, your annual third-party risk assessment should include both questionnaires and contract reviews.
Vendor assessments can be completed using spreadsheets, word documents, or specialized software—there’s a big market of GRC and other vendor management tools. Choose according to your specific business needs.
Involve the whole team.
Bring managers from across your company into the vendor risk assessment process. Your legal and IT teams may be able to lead the charge, but they’ll need some help.
Why is this important? Different departments work with different vendors. Even if you have a list of every vendor you work with, you may need help understanding that relationship’s exact purpose or function.
Establish vendor governance procedures.
Once everyone’s on board, create governance procedures. Who is responsible for new vendor assessments? Who will provide oversight of the process? Where can people go if they have any questions?
Establishing these answers at the outset will help to create a smoother overall process (and prevent a few headaches).
Review how third-party operations intersect with your data inventory.
Don’t just assume that your data is protected. Review the risk exposure for yourself.
- How does your vendor interact with your company data?
- Where in the system do they come in?
- What protections are in place?
- What type of access do they have to your data?
- Within that third party, who has access to your company’s data?
- What protections do they have in place?
- Is it compliant with applicable privacy laws?
Look out for red flags.
Certain business processes (or lack thereof) may significantly increase vendor risk.
Some red flags include:
- They don’t have data protection processes in place.
- They don’t carry out internal risk assessments.
- They don’t have a formal security policy.
- They don’t have an incident response plan.
Risk level identification
You may need more resources to address vendor risk with every vendor at a time. To make the most of your time and resources, rank your vendors according to their risk level and address the vendors that pose the highest risk to your business first.
For example:
- The most at-risk vendors may work directly with consumer data or even interact with customers
- The least at-risk vendor may be a non-essential vendor that doesn’t interact at all with your customer or customer data.
4. Mitigate vendor risk
Starting with your high-risk vendors, get a data processing agreement in place.
A data processing agreement is a legally binding contract stipulating how a third party can process, share, or use your company data and its obligations to protect it. This will protect your business, help you avoid data privacy violations, and create peace of mind for your customers.
Key points to cover in your data processing agreements include:
- Categories of information to be processed
- Duration of the processing
- Location of the personal data.
- Obligation surrounding:
- How they process personal information
- Compliance with applicable data protection laws
- Use of sub-processors
- Data breaches, including liability and notification
- Data security
- How they’ll assist you in maintaining compliance
- Requirement to notify you if they can’t meet contractual obligations
- Your right to monitor compliance with the contract
- Instructions on the return or destruction of personal data at the end of the agreement
However, remember that various laws have different requirements of what should be included in a data processing agreement. Your best bet is to conduct a regulatory review and understand your obligations.
5. Plan for off-boarding
Just like your middle school crush, not all vendor relationships work out. In the event that you and a vendor “break up,” you need a plan that ensures they won’t have continued access to your data.
This plan should account for:
- Ensuring they don’t have access to shared systems or networks
- How systems or processes might change
- Which internal roles or teams should be notified
- How internal policies or processes might change
- How this change affects data mapping or records of processing activities
(And don’t forget to update your privacy documents and your vendor inventory!)
Vendor risk minimization is an ongoing process. Take your time.
Your data is like your company’s child. It needs protection from the third-parties of the world.
But, just like children, you don’t protect your data once and call it a day. It’s a long process. So take your time and take it step-by-step.
And just like parents, you don’t have to go at it alone. There are plenty of resources, from books to podcasts to vetting tools, to help you navigate the process. And if you’re overwhelmed, you can always reach out to a third-party expert for help. Red Clover Advisors has deep experience helping businesses reduce privacy risks associated with vendors.