Vendors are critical for most businesses. They make your operations more efficient and deliver valuable services to your customers. But there’s a twist – with each vendor you bring on board, you’re also inviting a bundle of privacy risks. Information moves between businesses and across borders quickly. Do you know who has access to this information and how they’re handling it? After all, you’re responsible for your data.
Managing these third parties appropriately can make or break your privacy program. Red Clover’s Third-Party Risk Management (TPRM) services are designed to identify, assess, monitor, and mitigate risks associated with third-party vendors, including suppliers and service providers.
Our Third-Party Risk Management takes a phased approach and includes:
- Developing a third-party risk management process to:
- Assess critical risk categories: strategic, reputational, operational, financial, compliance, security, and/or fraud.
- Implement privacy and security questionnaires for evaluating vendors in a consistent, structured manner.
- Craft a written third-party vendor risk management policy.
- Review vendor contracts to evaluate if you may be selling or sharing personal information.
- Create a vendor assessment either manually or help implement the assessment into a privacy software platform. Include risk scoring and prioritization to assess and prioritize each vendor’s risk level based on their responses.
- Conduct a vendor risk assessment to review vendor data handling practices
- Provide vendor management training on the process.
- Provide support to manage the review or sending of third-party risk assessments.
Managed Services
Red Clover’s Privacy☘PS® Managed Services Team can help you monitor, execute and maintain these programs to support continued compliance.
Frequently Asked Questions
Third-party risk management – also called vendor management or vendor risk management – is the process businesses go through to identify the companies, organizations, and providers that deliver a service or product to your organization or customers on your behalf.
Due to the interconnected nature of global supply chains and the flow of data, you need to know who has access to what information, how it’s being used, and how it’s being protected. From a data security perspective, the goal behind third-party risk management is to build a comprehensive plan and process that assesses and tracks vendor relationships and contracts, identifies and reduces risks, and tracks compliance requirements and metrics.
You can’t have third-party risk management without a third-party risk assessment. The assessment process helps businesses analyze their relationships – whether new or ongoing – to ensure the vendor can uphold your privacy and security obligations.
Your process should follow a standardized checklist for every potential vendor. Any third-party risk assessment process should include the following pieces:
- Vetting and due diligence
- Risk level identification
- Establishing contracts
Assessments should take place before onboarding new vendors, and throughout the duration of your relationship with that vendor. For ongoing vendor relationships, you should have a third-party risk assessment that takes place annually, including data inventories, questionnaires, and contract reviews.
A third-party vendor is an organization, entity, business, or person with whom you’ve entered into an agreement to provide a service or product on your behalf.
But even vendors have vendors, also known as sub-processors in the world of GDPR. You don’t have a direct relationship with them, nor do you have a contract with them specifically. However, they are relevant to your risk assessment, nonetheless. Your third-party vendors, fourth-party vendors end up with access to your data – and your clients’ data.
And if they experience issues, it can impact your business operations and your clients’ security. These problems can be as temporary as a service outage or as impactful as a data breach.
Either way, you need to know that these vendors are doing their part to stay compliant.
In an ideal world with unlimited resources, you would want to monitor all your vendors.
However, this isn’t always feasible. If you have limited resources for a third-party risk management program, it’s important to assess which vendors pose the greatest security risk. From there, you can start monitoring the vendors that are most critical.
It’s important to be exceedingly thorough when making these determinations. Security threats come from many corners, often the ones that we don’t suspect.
This is almost entirely dependent on the industry that you work in. If you’re in the medical field, you’ll want to ensure that your team is HIPAA compliant; if you’re in the financial industry, you’ll need to ensure that you’re meeting OCC guidance, PCI compliance, and more.
To ensure that your vendors are meeting standards, your lawyers and IT department will work together to define:
- How you define sensitive information
- What compliance and regulatory measures do your vendors need to meet under GDPR, CCPA, and any other applicable privacy laws and regulations
- How to determine if your vendors meet those standards
Having privacy terms in your vendor contracts is a great start. However, it is important to also know how your vendors operate, what they do with your data, and how they protect your data. Building and maintaining well-defined onboarding and offboarding processes help ensure you stay aware of who has your data and what is being done with it. Additionally, you need a process in place to evaluate your vendors’ compliance with any contracts in place.
- GDPR’s Third Party: Under the General Data Protection Regulation (GDPR), a third party refers to any entity other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data. Third parties can include recipients of personal data who are not specifically covered by a controller-processor relationship.
- CCPA’s Service Provider: The California Consumer Privacy Act (CCPA) defines a service provider as a legal entity that processes personal information on behalf of a business and that is contracted by the business to perform services. Service providers are subject to contractual obligations regarding the handling and protection of personal information, as specified in agreements with the businesses that hire them.
In short, while the GDPR’s definition of third party and the CCPA’s definition of service provider encompass entities outside the direct relationship between data subjects and data controllers, the CCPA’s service provider specifically refers to entities contracted by businesses to process personal information and subject to contractual obligations. Essentially, GDPR’s third party encompasses a broader range of recipients of personal data.
Key Activities
3rd Party Risk Management Scoping & Discovery Involves working with business owners to identify the companies, organizations, and providers that deliver a service or product to your organization or customers on your behalf. This process identifies third party or vendor relationships and contracts to determine who has access to what information, how it’s being used, and how it’s being protected.
3rd Party Risk Management Create Assessment Template Customized for your organization, the assessment template will be used to ask third parties about their business process to better understand what the third parties do with the data they collect, use, store, and share, and how this data is secured.
3rd Party Risk Management Execute & Review Assessment Whether using software or a manual assessment, our team will review the answers provided by the third parties. During this review, we focus on identifying third party privacy risks, which involves risk scoring and prioritization to evaluate and rank each vendor’s risk level based on their responses. We will compile these insights into a findings report, outlining our recommended remediations.
3rd Party Risk Management Software Implementation For companies looking to implement and use a privacy software platform, Red Clover Advisors can help you set this up from start to finish. We will ensure that it is customized and functions properly for your organization.
3rd Party Risk Management Develop Policies, Processes, and Procedures We will develop a written third-party vendor risk management policy. Implementing a third-party risk management policy is crucial for keeping personal data safe, ensuring compliance, and avoiding data breaches from vendor slip-ups. The policy will include how often vendor data handling practices should be reviewed and how to evaluate vendors in a consistent, structured manner.
3rd Party Risk Management Training We will provide training on how to use the third-party risk management software, how to execute an assessment, and what to look for in an assessment.
3rd Party Risk Management Maintenance, updates, and ongoing assessments We also help with maintaining a third-party inventory and updating it on a periodic basis, as well as identifying new third parties that require an assessment. For some companies, this might be an annual task, while for others, it could involve ongoing updates to capture all the new changes in the business.