Operationalizing Data Protection & Privacy: Lesson 14 - Third Party Risk Management

Disclaimer:? The views and lesson here are mine alone and do not represent my employer, the LEGO Group, or previous coursework taught at Cleveland State University School of Law.

?

Every organization relies upon third parties in some capacity.? Whether it’s a software as a service for human resources management, a public cloud provider for general hosting of infrastructure and applications, or even a company responsible for managing the employee canteen, every business has a long list of third parties that supports it.

However, each third party engaged with your organization creates risk.? You can’t directly control every aspect of your relationship with a third party and must therefore develop a way to identify, manage, and mitigate it.? Particularly, when third parties process your personal data, DP&P professionals have an obligation to understand the scope of any processing activities and ensure that it is done in a compliant and secure manner.

And the risk isn’t just limited to DP&P – there’s other risks that third parties create for our organizations, including cyber security, environmental, and financial viability, and third parties should be thoroughly reviewed by all internal stakeholders prior to commencing a business relationship.??

What third party risk management means in practice though is largely dependent on the organization’s business activities, financial position, risk tolerance, and processes and controls, but at minimum third parties need to be reviewed, approved, and documented to an agreed upon standard.

Let’s dig a bit deeper.

1. Most organizations have a process for engaging and onboarding third parties.? When the third party is a supplier there will usually be a procurement or supply chain function that will own the workflow to ensure that individual employees are not engaging external vendors, service providers, software companies, and consultants in an ad hoc, unapproved, and haphazard manner.?
2. Not all third parties must be suppliers though.? While the most significant third party risk tends to be from those companies where you are the customer, there may also be situations where you are engaging with organizations for other purposes, such as universities for research or trade organizations for knowledge sharing.? When personal data is shared or processed in any of these third party relationships, it too must only be done with appropriate controls and in a compliant manner.?
3. The biggest challenge with non-supplier third parties is visibility.? It’s impossible to support engagements with third parties that you don’t know about, but by having a strong DP&P culture and communication strategy, you can at least try to create awareness amongst employees to engage with the DP&P team when sharing personal data with any third party, not just suppliers.
4. As a DP&P professional it’s important to understand how third party suppliers are managed within your organization.? There are numerous benefits to having a known and well managed process for engaging third party suppliers, including controlling spend, but it also allows the DP&P office to identify and manage the risk of external processing personal data.? Ideally, the DP&P office can leverage an existing procurement process to achieve its goals related to suppliers and save itself from reinventing the wheel.?
5. Ideally, you’d want to start assessing third party suppliers for DP&P risk as early in the procurement process as possible.? If there’s a formal RFI/RFP process, you can work to add pertinent DP&P questions to the questionnaire, but at minimum its crucial to detect if a third party supplier will process personal data and for what purpose.
6. When a third party supplier will process personal data, it’s vital to understand in what capacity.? Not all third party suppliers need to be treated equally, and it’s extremely valuable to have an intake process to understand and categorize the scope of the personal data processing activities and the associated risk.
7. A DP&P third party supplier intake process can take the form of a questionnaire or general assessment owned by the DP&P office or it can be part of a larger supplier risk assessment.? The goal of the intake process should be to assess the general DP&P risk of the third party supplier by ascertaining basic data protection elements, such as the data subjects, personal data elements processed, the processing purpose(s), physical processing location(s), the general technical and organizational controls, and willingness to work with your contracts and data processing agreement.
8. As an output of the intake process, you can begin to classify the risk of the third party supplier, which can inform next steps.? For example, if the third party is a well-established and reputable SaaS based employee collaboration tool that will only process limited employee personal data for authentication purposes, will physically locate your instance in your preferred country, and will work with your MSA and DPA, you may deem this supplier low risk with no direct involvement required by the DP&P office.
9. However, on the other end of the spectrum could be an early stage service provider that performs workplace analytics using a proprietary AI algorithm which requires all employee performance data and is hosted only in the US.? In this situation you may deem the third party supplier as a high risk and require a more extensive review and contract process involving the DP&P office.?
10. More than likely, most third party suppliers will be somewhere in the middle and require the DP&P office to find a reasonable way to calibrate risk to allocate time and resources to a review.? Finding the appropriate balance and level of involvement may take some time and experience, but ultimately you should be able to build a sensible process that serves all stakeholders.?
11. Good documentation is critical in your third party review process.? This includes maintaining your records of processing activities related to third parties, but also the risk classification and any decisions or mitigating measures implemented to manage the risk.? It’s extremely helpful to be able to refer to decisions made several years ago, and documentation can also serve as a repository for audits and inquiries.
12. With all the complexity that third parties present to an organization, it can be extremely valuable to have a third party risk management system with an automated or semi-automated workflow.? There are numerous solutions in the marketplace, but having a platform that fits your organization and its stakeholders can save time and money, as well as serve as the system of record for third party documentation.
13. Once a third party is actively engaged with your organization, you must monitor their ongoing compliance to your DP&P policies, standards, and contracts.? One way to address this is to develop a third party audit program, and a good place to start is to build a reasonable audit framework that incorporates your primary third party risks and requirements, and then develop a yearly audit schedule that prioritizes the highest high risk third parties.??And don’t be afraid to ask for evidence of compliance, whether an industry certificate or requesting to come on site to actually observe the processing activities.?
14. A nagging challenge related to third party risk management is shadow (or gray) IT.? It goes back to the issue of trying to manage a risk you don’t know, and with the proliferation of tools and services available online and through app stores, employees will often procure a solution on their own to solve an immediate issue.? There’s no magic solution to shadow IT, but you can at least start to tackle this through policies, training, and awareness, as well as working with IT and procurement to reign it in.? ??
15. A final consideration related to DP&P is the offboarding of a third party.? Eventually, the relationship between your organization and a third party will end, and you will want a written confirmation that all personal data processed by the third party has been properly deleted.?

That's all for this week. Next week I dive into the topics of privacy by design, PIAs, and privacy engineering.