By Henry J. Schumacher
Working with vendors and third parties is an inherent part of doing business—they provide tremendous value and opportunity. While they may be indispensable to the daily operations of businesses, vendors also present significant risks. These risks are of growing concern, particularly when it comes to privacy.
International privacy laws and regulations such as the EU General Data Protection Regulation (GDPR), the Philippine Data Privacy Act (DPA), and others in the region and beyond, have specific provisions that address vendors and extend companies’ data-privacy obligations throughout their supply chains. In addition, many vendors fail to meet risk-management guidelines and requirements, and may not implement privacy-management best practices despite the expanding regulatory environment and related risks. And as more personal data is transmitted and processed outside the traditional boundaries of a company’s walls through services such as SaaS (Software as a Service), PaaS (Platform as a Service) and IaaS (Infrastructure as a Service), managing data privacy throughout vendor networks is even more critical to address.
You do not have to look far to find examples in the news of data breaches that vendors caused. Additionally, Forrester research found that third-party attack or incident caused 21 percent of confirmed security breaches in 2018. In addition, the cost of data breaches is estimated by Ponemon to be between $750,000 and $35 million, with the global average cost in 2018 at $3.86 million and increasing each year.
Assuming that you are managing data-privacy risk within your vendor network and either building or carrying out your vendor-management program, the following are some best practices that you may want to implement:
- Map your data to identify data movement and vendors.
- Classify vendors based on your data classification for risk.
- Identify places in your vendor network where privacy threats can hide and address them.
- Build partnerships across the organization to have visibility into vendor activity.
- Work with your procurement and legal teams to set vendor review thresholds.
- Collaborate with your information security team to gain a complete view of your vendor posture.
- Ensure your organization understands vendor risk—this is particularly important as you consider the risk of free vendors.
- If clauses are added to vendor contracts that vendors need to take action around, make sure there is a consistent way to follow up with the vendor and take action if necessary (including terminating the relationship).
A vendor privacy-management program should be tailored to the risk profile of your data and the risk tolerance of your organization. In general, vendor management should start before vendor onboarding—it should start when you are deciding if certain activities should be outsourced and developing the requirements for doing so.
In this context, it may be worthwhile to consider a management tool for data privacy and protection.
The Data Protection Management System (DPMS), for instance, is a Saas platform to support the journey to legal and operational compliance of your organization to the Data Privacy Act of the Philippines, as well as the General Data Protection Regulation of Europe. It is a compliance collaboration and management tool to effectively manage the process of governance, risks and compliance.
DPMS allows companies to immediately start a privacy-management program across the organization and translate their privacy vision to operations down to every employee in the company. It is a platform to protect organizations from data breaches, which carry heavy fines and jail-term that could well affect brand and reputation.
The DPMS is ideal for:
- Companies that are already familiar with data-privacy laws but need automated tools to manage the compliance process; and
- Enterprises that need to track compliance across multiple lines of business or business entities.
This software follows the five-pillar framework of the National Privacy Commission (NPC).
1. Commit to comply: Governance structure and dpo.
2. Know your risk: Inventory, assessment and pia.
3. Be accountable: Privacy-management program.
4. Demonstrate compliance: Implement measures.
5. Be prepared for breaches.
Feedback is welcome; assistance is available; you can contact me via e-mail at Schumacher@eitsc.com