Managing a Vendor's Privacy Risk

Don’t panic. Vendor management can feel intimidating, especially when it comes to evaluating the ever-changing landscape of privacy laws and regulations and how they impact your third-party vendor relationships. 

If you find yourself reaching for a bottle of Tylenol every time you think about how to get a grip on the privacy risks your vendors pose, using the tactics outlined below to evaluate and manage those risks can help you begin to take control of those risks.

How to Evaluate the Vendor Risks

It’s important to begin by understanding what potential risks your business faces when using a vendor that processes personally identifiable information (PII). Here are five tactics that can help illuminate those risks.

1. Define the risk profile of your vendor. Which specific elements of PII are required to be provided to them to take advantage of the benefits to your business their product or service will provide? What jurisdiction do they process data in? Will data be transferred across jurisdictional borders? What privacy laws is the data involved subject to?
2. Collaborate with the risk, security, compliance, legal and marketing experts in your business. Doing so will help you understand the internal requirements your business has and whether the type of service being provided fits into your organizational ethos around security, compliance and branding.
3. Examine the vendor’s reputation. Have they experienced breaches of sensitive information in the past? Do they have pending lawsuits related to violations of existing privacy laws?
4. Check whether the vendor has obtained any industry certifications or attestations for their privacy practices. Examples include a SOC 2 audit that covers the Privacy Trust Services Criteria, ISO 27701 certification, APEC Privacy Recognition for Processors (PRP) and Cross-Border Privacy Rules (CBPR) certifications. These certifications and attestations, especially those that come with a report detailing the vendor’s privacy practices, can help reduce the amount of due diligence tasks involved with using the vendor.
5. Assess the vendor’s due diligence documentation. This helps determine whether the controls and practices they have in place match your requirements. Security and privacy are closely intertwined, so it’s important to assess whether the vendor has adequate security measures, both technical and administrative, in place to protect the data being shared or processed.

4 Ways to Manage Vendor Privacy Risks

The list above offers a starting point for determining the level of risk that might be involved in using a vendor. Once you have identified the level of risk, the next step is to implement effective practices to ensure that the risk involved is managed in accordance with your organization’s risk appetite. Consider these important activities:

1. Minimize – Only share the minimum amount of data necessary to reduce your risk exposure and comply with privacy laws. Consider technical controls such as pseudonymization, anonymization and encryption as ways to reduce the possibility of sensitive data being identifiable where appropriate.
2. Mitigate – Your evaluation of a vendor’s privacy risks may have identified gaps between their practices and your requirements. Work with the vendor to ensure that unacceptable risks have mitigating controls in place.
3. Monitor – Follow up with vendors regularly to ensure that their practices continue to adhere to your contractual requirements and industry best practices.
4. Maintain – Privacy legislation is a hot topic, and new laws and regulations are rapidly being implemented all over the world. It’s important to make sure your internal requirements are updated as new laws that apply to your data get implemented. Ongoing maintenance should be performed continually to ensure that you don’t overlook important requirements.

As new privacy laws have started to develop across the globe, it can be overwhelming to keep up with all the tasks involved in managing third-party risks. New or emerging risks and changing regulations can present many challenges, but third-party risk management is a critical practice that goes a long way in protecting your organization.