Third-Party Risks for Data Privacy are Everywhere
Brainstorming Solutions to Supplier Management
Everybody has a process in place to demonstrate that you [the vendor] can be trusted to perform services for your client. This means a lot of paperwork and sometimes a lot of redundancy for suppliers.
All of this takes time and effort and energy to manage. What would be some potential solutions to resolve that friction for both the suppliers and for their potential clients? What are the pain points?
—Josh Harris, BBB National Programs
“One of the most obvious answers,” says Amazon’s Kelly Peterson Miranda, “is our legal obligations are growing and interoperability between those legal obligations is not always there for in-house privacy program managers who are trying to operationalize privacy programs.
“The privacy team for controllers is about oversight. How do you have adequate oversight? What are all the ingress points that are generated by third-party relationships?
“It’s not always procurement, right? Engineering is establishing third-party relationships: marketing teams are establishing third-party relationships. So, it’s about gaining the right handle on your third-party landscape and knowing who is responsible for ongoing oversight over those relationships.”
Kelly Peterson Miranda and CJ Utter met with Josh Harris for a wide-ranging Q&A during the fall session of the widely attended Spokes Privacy Technology Conference to brainstorm solutions to supplier management and risk mitigation.
Kelly is a Data Privacy Principal at Amazon and CJ Utter is Privacy Counsel for Vizio. The session’s MC, Josh Harris, is BBB National Programs Director, Global Privacy Initiatives.
The lifecycle of third-party risk mitigation
Kelly notes that one of the challenges is “putting together an effective program to manage the relationship lifecycle.” While there is a concerted focus during onboarding, what happens afterward can be harder to pin down.
“That’s where some privacy programs start to struggle and start to deal with scalability issues”
For small to medium organizations, it typically comes down to resource management: there are not enough people and there may not be a budget for a technology-based resource to help.
For larger organizations, it comes down to creating something that provides a breadth of oversight that is scalable, accurate, [and] continuous – not something that’s a point-in-time compliance activity.
—Kelly Peterson Miranda, Amazon
CJ agrees. “It seems like there is so much effort upfront, so much due diligence, and then as the contract proceeds, or as the business relationship proceeds, the due diligence goes on the back burner.” Often there is little, if anything at all, in place that completes the data management and risk assessment lifecycle.
At the outset “You’re getting the questions answered. You understand their business relationship, you understand the use of the data, and what they’re doing to protect that data,” continues CJ. But clear to the end of the relationship cycle? Can you “confirm that they no longer have that data in their possession? That it’s been destroyed?” cautions Utter. Does the third party still have an “amount of data in their possession for legal regulations and what is required under whatever applicable law framework that they comply with?”
What’s your risk appetite?
What about an “annual or biannual risk assessments being done in house? Is this something that you would recommend undertaking? Any challenges, you see in that?” asks Josh:
CJ is quick to point out the likely bandwidth challenges.
You can think about a lot of different things that would trigger a risk assessment such as a security breach or if the relationship has changed. Typically, I see the risk assessment being reviewed whenever there’s a new statement of work added, when there’s a new engagement letter, or a new deal struck….
You may want to do a biannual one down the road, especially if there’s no change – there’s [no trigger] to review it – but typically, the times to review it are when the new contracts come in, or when there’s a change.
—CJ Utter, Vizio
“What’s the risk score that you’ve assessed during that initial assessment?” offers Kelly. “I think, higher risk relationships (it could be based on the data that’s being shared or the criticality of that vendor to your service overall) may necessitate a biannual risk assessment or audit of that particular vendor. Versus a vendor who’s receiving less data or providing not so critical of a service.
“What’s key, if we talk about relationship lifecycle, is to have a testing and monitoring program in your organization…whether that’s going to be something that that team takes on or they engage third parties to help bolster that.”
But it all depends on the question of the risk appetite of your company overall. Because that’s going to drive the resources, the timing, and the appetite. Both to take it on internally, as well as defining the relationship that you have with that third party.
—Kelly Peterson Miranda, Amazon
The controller controls
“What happens in a worst-case scenario where somebody fails, the assessment or for whatever reason is unable to maintain the standards that you would put out at the beginning?” queries Harris::
I’ve experienced this firsthand. What I’ve done is have a discussion with the business unit or the team that’s engaging the vendor to discuss the importance of the vendor and discuss the business use case. Are there any viable alternatives in the marketplace that can provide the same or close to what this vendor was going to provide?
—CJ Utter, Vizio
“This is an important topic,” says Peterson Miranda. Crucially, “before engaging in any kind of risk assessment, or audit, there has to be a meeting of the minds between legal and the business. What is the goal? What are the remediations that we can potentially control and put in place if we receive unsatisfactory answers from a vendor with which we are currently working?”
She notes that there are some tough questions to ask from the business perspective. In particular, “Are you willing to walk away? Can we walk away? And if the answer is no, and we get back an unsatisfactory answer: what is within our control, as a controller.”
From a technology perspective, are there gating things that we can put up? Pseudonymization techniques that can be put in place, or data minimization? What can we control to help ensure that our customers are not harmed by the fact that we must engage with this third party in order to provide the service to the end customer?
It all goes back to preserving that trust of the customer.
— Kelly Peterson Miranda, Amazon
Exceptions to the rule?
Josh asks, “As you encounter these cases, are they pushing you into ad hoc remediations that are outside the broader process? Some occasional special accommodation for an organization?
“Again,” offers Kelly, “it goes back to the criticality of that vendor. Are you willing to put in place an exception and, if so, how are you going to document that exception? How are you going to have oversight?
“It increases your operational burden. And, in the long term, you’re potentially increasing risk because now you have an exception in an approach. Who’s going to have responsibility for that?
And as Kelly notes, it is most likely something that can’t be managed by the privacy group, but rather someone in the business: “whether that sits with product, engineering, account management, or whoever is the relationship owner.” Ultimately, what does reporting look like? How will the privacy and compliance teams “ensure that, in the end, this exception doesn’t result in compliance risk?”
As Josh rightly and succinctly puts it, “the introduction of complications into a universe of things that are already complicated is probably suboptimal.”
The way I’ve handled it is by looking at the sensitivity of the data and having certain vendors do certain questionnaires based upon the level of data that they’re getting. If there are any exceptions, that’s noted within the contract, and there are a lot of guard rails in the contract concerning what they can do with the data or what is expected of the third party.
—CJ Utter, Vizio
“And then that’s managed within the contract lifecycle management, continues CJ, “where you can tag the contract for review at certain intervals.”
As organizations look to operationalize data privacy and manage personally identifiable data across their information ecosystems – intended to deliver value-added and frictionless experiences to their consumers – managing third-party relationships is one of the many challenges businesses both small and large grapple with.
The foregoing is just a small sample of this discussion which also covered topics like operational challenges concerning subsidiaries of third parties; the potential utility of a GDPR-like framework to assist in the lifecycle management of risk; and the needed coordination of process owners across the businesses; and the impact of the ever-changing regulatory landscape.
This discussion and others featuring some of the leading thinkers and practitioners that came together for the Fall Spokes Privacy Technology Conference can be accessed here.
Watch the entire SPOKES session here.