Vendor Risk Management – Complying with Data Privacy Regulations
November 17th, 2020 •Kimberley Allan• Reading Time: 5minutes
The election results have been tallied, and one thing that’s not in dispute is that California voters came out in support of Proposition 24, known as the California Privacy Rights Act (CPRA) or the California Consumer Privacy Act (CCPA) 2.0. This measure expands California’s existing privacy laws and sets in place tighter restrictions on how websites track consumers’ data and sell that information to third parties such as advertisers.
The CPRA amends some provisions of the CCPA, which became enforceable in July 2020. The CPRA will become enforceable in 2023.
The CPRA joins the growing inventory of privacy regulations, which read a bit like an alphabet soup, and also include the GDPR and the SHIELD Act. These regulations – both global and domestic –should force organizations to think holistically about their privacy compliance programs.
Third party* risk and data privacy compliance
Organizations are increasingly relying on third-party vendors to help them collect, process, and dispose of personal data. These can include any service providers or contractors that act on your behalf with access to the personal data of customers or employees, cloud providers that store personal data, and outside agencies that you may have engaged to dispose of client data.
The growing list of privacy regulations that organizations are subject to has prompted a convergence of third-party risk management and data privacy. How third parties protect this data also pulls information security and cybersecurity into the equation as well.
It’s important to ensure that any of your vendors that come under the scope of data privacy laws are in compliance with them. To do this effectively, you will need to be taking data privacy into account throughout the lifecycle of the relationship.
1). Intake, due diligence, and qualification
To start with, the regulators expect adequate due diligence in selecting a vendor.
Before you even engage and onboard any new vendor, it’s important that you determine the scope of their engagement and identify and mitigate any data protection risks. Consider first the business and strategic objectives that you have with this third party – why do you intend to engage with them? Are they critical to a project or operations? Will they be involved, in any way, with your data, and does this bring them in scope with the regulation(s)?
You will need to determine what data privacy (and by extension information security and cybersecurity) risks the third party may bring to the relationship, what controls will need to be applied, and whether the identified level of risk is acceptable.
Getting it right at the outset, in a structured and consistent way, enables you to establish the level of due diligence required for the vendor.
Prior to the contract, you’ll want to undertake an Initial Risk Assessment. This will help you determine whether you or your vendors fall into the scope of data privacy regulations.
You will need to determine whether you or your vendors hold any personally identifiable information (PII). Remember this isn’t just customer information, but could include marketing data, membership data, employee information, etc.
You’ll want to understand if any of the PII data belongs to:
California Citizens or Residents (for CCPA)
EU Citizens or Residents (for GDPR)
[or other, as required]
If vendors fall in scope with the regulation, some systems like Aravo can provide conditional logic that will present a series of initial risk questions at this stage. This provides the opportunity to collect some additional information that can be scored and in turn act as triggers for a privacy impact assessment.
The types of questions that can be included at this stage could include:
Does the third party collect, transmit, process, or store data that can be classified as non-public information (NPI), personally identifiable information (PII), or personally identifiable financial information?
And a short series of questions that establish:
The highest level of data classification;
The volume of personal and confidential data records processed by the Vendor/Third Party/Service Provider annually;
What categories of data are accessed, processed, stored, or retained;
Whether the Third Party engages fourth parties or subcontractor(s) for data processing;
And how will the data processing occur? (e.g. within your organization’s network environment using your organization’s credentials or within the third party owned and managed network environment or both).
Data Privacy Impact Assessment
The initial risk assessment will help determine those vendors in scope for a deeper privacy impact assessment. These will help you determine any issues associated with:
Data. The categories of PII, the data classification of that PII, the volume of PII data, as well as where it is stored, how it is used, and how it is disposed and/or deleted.
Access. Insight into who and what has access to the data including individuals, departments, and systems, including those that may be subcontracted by the third party (i.e. your fourth parties).
Controls. This provides details of the policies and procedures for data collection, processing, and compliance. It will detail the control frameworks the third party is using both for regulatory compliance (is the third party acting in compliance with the data privacy regulations you are subject to) and also the frameworks for keeping that data safe (information security and cybersecurity frameworks) and how these are checked, documented, and maintained.
It is likely that in addition to data privacy impact assessments, you will also require information security and cybersecurity assessments since these are also integral to the integrity of data privacy.
2). Contracting and onboarding
For any third-party (processor under the GDPR; service-provider under the CCPA) who processes PII, you should have some form of Data Processing Addendum (or DPA) as part of the contract. This is an amendment to a master services agreement that is designed to bring a service provider’s contract into compliance with the service provider or processor requirements of the CCPA and/or the GDPR.
It is important that both parties understand both their responsibilities and their liabilities associated with the processing of personal data.
3). Ongoing monitoring
The relationship does not end with onboarding – it’s important to continuously monitor both the risk profile and the performance of the third parties you engage with. You will need to establish a clear governance structure and procedures for the monitoring and documentation of both internal and third-party activities relating to your data.
In respect to data privacy compliance, you should also be ensuring you have a robust (and tested) process for data breach notifications. If your vendor has been breached, you want to hear from them immediately (rather than through the media or a customer).
4). Issue management, incident management and remediation
If you are faced with issues (e.g. you are still awaiting certain updated documentation regarding the vendor’s data privacy policy and processes) or incidents (e.g. a data breach) you need a process that allows you to identify the issue or incident, apply appropriate controls, implement corrective action/preventative action plans (CAPA), and monitor remediation.
In the case of data privacy – this is especially important due to the timeframe in which organizations have to notify supervisory authorities and data subjects in the event of a data breach affecting users’ personal information. Under the GDPR, this is just 72 hours.
5). Termination and off-boarding
Finally, offboarding a third-party vendor is just as important process as onboarding them in the first place. Failure to offboard correctly can expose you to data and compliance breaches. This means it is important to have an effective off-boarding process in place that enables your organization to properly address privacy and security risks.
Any data that the vendor processed must be retrieved or destroyed, and the vendor’s access to data must be disabled. Understanding whether they had any subcontractors that had access to the data is important too – do they have access to data and need to go through a similar process?
The pressure is on, and the fines are escalating. Now is the time for automation.
The regulatory pressure on companies to ensure that they and their vendors are in compliance with data privacy laws will continue to expand and increase. Enforcement actions and fines are escalating. For instance, as of October 2020, over 220 fines have been meted out for GDPR violations, totaling more than €175 million. We can expect this number to continue rising, and for more fines related to data privacy compliance to emerge now that the CCPA is in effect.
Therefore, the need for having effective third-party risk and compliance solutions that can help automate your program has never been more urgent.
* For clarification, the regulations don’t have a standardized naming convention for the third-party vendors who process data (the GDPR refers to ‘processors’ and the CCPA refers to ‘service providers’, with the term ‘third-party’ relating to third parties, such as advertisers, that the organization may sell data to). For the purposes of this blog ‘third parties’ and ‘vendors’ refer to ‘processors’ and ‘service providers’.
Kimberley Allan
Vice President of Marketing at Bidgely
Kimberley is currently the Vice President of Marketing at Bidgely. Prior to this, she served as Chief Marketing Officer at Aravo bringing more than a decade of marketing leadership experience in the GRC space, building brand recognition, thought-leadership, and revenue-accelerating marketing programs.
Vice President of Marketing at Bidgely
Kimberley is currently the Vice President of Marketing at Bidgely. Prior to this, she served as Chief Marketing Officer at Aravo bringing more than a decade of marketing leadership experience in the GRC space, building brand recognition, thought-leadership, and revenue-accelerating marketing programs.