Third-Party Risk Management

Third-party risk management – also called vendor management or vendor risk management – is the process businesses go through to identify the companies, organizations, and providers that deliver a service or product to your organization or customers on your behalf.

Due to the interconnected nature of global supply chains and the flow of data, you need to know who has access to what information, how it’s being used, and how it’s being protected. From a data security perspective, the goal behind third-party risk management is to build a comprehensive plan and process that assesses and tracks vendor relationships and contracts, identifies and reduces risks, and tracks compliance requirements and metrics.

You can’t have third-party risk management without a third-party risk assessment. The assessment process helps businesses analyze their relationships – whether new or ongoing – to ensure the vendor can uphold your privacy and security obligations.

Your process should follow a standardized checklist for every potential vendor. Any third-party risk assessment process should include the following pieces:

• Vetting and due diligence
• Risk level identification
• Establishing contracts

Assessments should take place before onboarding new vendors, and throughout the duration of your relationship with that vendor. For ongoing vendor relationships, you should have a third-party risk assessment that takes place annually, including data inventories, questionnaires, and contract reviews.

A third-party vendor is an organization, entity, business, or person with whom you’ve entered into an agreement to provide a service or product on your behalf.

But even vendors have vendors, also known as sub-processors in the world of GDPR. You don’t have a direct relationship with them, nor do you have a contract with them specifically. However, they are relevant to your risk assessment, nonetheless. Your third-party vendors, fourth-party vendors end up with access to your data – and your clients’ data.

And if they experience issues, it can impact your business operations and your clients’ security. These problems can be as temporary as a service outage or as impactful as a data breach.

Either way, you need to know that these vendors are doing their part to stay compliant.

In an ideal world with unlimited resources, you would want to monitor all your vendors.

However, this isn’t always feasible. If you have limited resources for a third-party risk management program, it’s important to assess which vendors pose the greatest security risk. From there, you can start monitoring the vendors that are most critical.

It’s important to be exceedingly thorough when making these determinations. Security threats come from many corners, often the ones that we don’t suspect.

This is almost entirely dependent on the industry that you work in. If you’re in the medical field, you’ll want to ensure that your team is HIPAA compliant; if you’re in the financial industry, you’ll need to ensure that you’re meeting OCC guidance, PCI compliance, and more.

To ensure that your vendors are meeting standards, your lawyers and IT department will work together to define:

• How you define sensitive information
• What compliance and regulatory measures do your vendors need to meet under GDPR, CCPA, and any other applicable privacy laws and regulations
• How to determine if your vendors meet those standards

Having privacy terms in your vendor contracts is a great start. However, it is important to also know how your vendors operate, what they do with your data, and how they protect your data. Building and maintaining well-defined onboarding and offboarding processes help ensure you stay aware of who has your data and what is being done with it. Additionally, you need a process in place to evaluate your vendors’ compliance with any contracts in place.

• GDPR’s Third Party: Under the General Data Protection Regulation (GDPR), a third party refers to any entity other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data. Third parties can include recipients of personal data who are not specifically covered by a controller-processor relationship.
• CCPA’s Service Provider: The California Consumer Privacy Act (CCPA) defines a service provider as a legal entity that processes personal information on behalf of a business and that is contracted by the business to perform services. Service providers are subject to contractual obligations regarding the handling and protection of personal information, as specified in agreements with the businesses that hire them.

In short, while the GDPR’s definition of third party and the CCPA’s definition of service provider encompass entities outside the direct relationship between data subjects and data controllers, the CCPA’s service provider specifically refers to entities contracted by businesses to process personal information and subject to contractual obligations. Essentially, GDPR’s third party encompasses a broader range of recipients of personal data.