The scope of vendor or third-party requirements has significantly grown due to the global pandemic we’re living in. Not only are you working to ensure your vendor management efforts will result in compliance with GDPR, CCPA and other privacy regulations, now you must consider privacy risks associated with COVID-19.
Regulations have specific provisions that address vendors and extend companies’ data privacy obligations throughout their supply chains. Organizations need to be able to collect, maintain and track critical data for ongoing vendor management in order to properly evaluate, monitor and track their status.
This webinar will provide:
-Overview of privacy laws and regulations (i.e., CCPA, GDPR) and corresponding vendor and third-party requirements
-Summary of vendor management processes and how they can be supplemented to specifically address data privacy and security risks
-Best practices for managing data privacy in your vendor network
-Guidance on how to build & manage your vendor privacy management program with practical solutions
2. How to Manage Vendors and Third Parties to Minimize Privacy Risk
2
● We will be starting a couple minutes after the hour
● This webinar will be recorded and the recording and slides sent out later today
● Please use the GoToWebinar control panel on the right hand side to submit any
questions for the speakers
4. Agenda
4
● Overview of privacy laws and regulations (i.e., CCPA, GDPR) and corresponding
vendor and third-party requirements
● Summary of vendor management processes and how they can be supplemented to
specifically address data privacy and security risks
● Best practices for managing data privacy in your vendor network
● Guidance on how to build & manage your vendor privacy management program with
practical solutions
6. Regulation Third-Party Requirements
6
Regulation Third-Party Requirements
GDPR Requires that “data controllers” apply the same privacy and security responsibilities that they have to their
“processors” (vendors) and “subprocessors.” Relationship between data controller and processor and
sub-processors must be governed by a written agreement.
EU/CH à US
Privacy Shield
Stipulates accountability for onward transfer: organizations must enter into a contract with the third-party
controller, which provides that data may only be processed for limited and specified purposes; the same
level of protection must be provided as in Privacy Shield Notice and Choice Principles; and the third party
will notify the organization if it makes a determination that it can no longer meet obligation. Note that now
that Privacy Shield no longer provides adequacy for data flows, other transborder adequacy mechanisms
will be required.
CCPA Requires that “business entities” apply the same security, retention, disclosure and use responsibilities to
their “service providers” (vendors). Relationship between business entity and service provider must be
governed by a written agreement.
Federal Reserve
Act, implemented
in 12 CFR 223
National banks and federal savings associates must maintain oversight of third-party relationships.
7. Regulation Third-Party Requirements
7
Regulation Third-Party Requirements
HIPAA Covered entities should process protected health information (PHI) to business associates
that demonstrate willingness and/or ability to apply appropriate safeguards as called for in
the HIPAA Security Rule and the applicable portions of the Privacy Rule. Business
associates are directly subject to HIPAA, not just to the covered entities.
Massachusetts’ Law 201 CMR
17
Organizations are responsible for selection and retention of third-party service providers
capable of properly safeguarding personal information.
U.S. Federal Food and Drug
Administration Advisory
Committees
Requires oversight of quality vendors and products across a number of industries.
Australian Privacy Principles
and Hong Kong’s Personal Data
(Privacy) Ordinance
In general, requires companies to ensure proper security and use of data, but specifically
applies to cross-border data transfers, direct marketing and transparency to data subjects.
In practice this means companies cannot share data with vendors who don't have proper
security nor use data in the right way.
9. Address Common Vendor Management Provisions
9
Contract Provision Description
Definitions Section to include personal data, consent, sensitive data (if appropriate), data owner,
data processor/service provider
Documented Instructions: Purpose,
Duration, Parties
Clarity around what the work is and is not; only execute what is documented. Some
latitude in implementing instructions is allowed as long as aligns with instructions.
Address any transborder data flow requirements
Processor Tech & Organizational
Measures
Implement technical and organizational measures appropriate to the risk; includes
privacy program management
Confidentiality and Accessibility Processor agrees to terms of limited accessibility to personal data
Disclosure Disclose personal data ONLY for the specific purpose of performing the services
specified in the contract
Right to Audit Right of data owner to conduct reasonable audits on systems, protocols, etc.
Processor Assistance to Data Owner Processor will provide assistance for individual rights, breach, etc.
Data Retention & Disposal Processor will return or delete data based on terms of agreement
10. Existing Vendor Management Approach
10
Process Step Common Vendor Management Plus Privacy & Security
Vendor Management
Identification Find vendor that meets our needs… …AND demonstrates privacy
and data protection awareness
Screening Review references, conduct business
review, deliver on requirements…
…AND completes appropriate
assessments to either comply
with external regulatory and/or
internal privacy and security
governance
Risk Analysis Viability and capability of vendor, review
operations…
…AND scores favorable compliance with external
regulatory and/or internal privacy and security governance
Risk Mitigation Reduce exposure, guarantees if
things go wrong…
…AND implements Data Processing Agreement (DPA) and
specifics around security
Continuous
Monitoring
Delivering according to agreement… …AND maintains terms of DPA
Storage
Repository
Maintain common place for access and
review…
…AND is classified as a low, moderate or high risk which
requires specific rigors for each
11. Chose Wisely and Document
11
● Ultimately, it’s your reputation on the line if there is a problem with vendor data
handling.
● If something does go wrong, being able to demonstrate that you have done
appropriate diligence is critical.
● Remember that changes in vendors can also trigger other requirements that require
documentation: Data Protection Impact Assessments, data inventory (Art 30)
changes, changes in other legal requirements.
13. Best Practices - Managing Data Privacy Risk in Your Vendor Network
13
● Map your data to identify data movement and vendors
● Classify vendors based on your data classification for risk
● Identify places in your vendor network where privacy threats can hide and address
them
● Build partnerships across the organization to have visibility into vendor activity
● Work with your procurement and legal teams to set vendor review thresholds
● Collaborate with your information security team to gain a complete view of your
vendor posture
14. Best Practices - Managing Data Privacy Risk in Your Vendor Network
14
● Ensure your organization understands vendor risk - this is particularly important as
you consider the risk of free vendors
● If clauses are added to vendor contracts that vendors need to take action around,
such as a SOC 2 (a report based on AICPA's existing Trust Services principles
and criteria to evaluate the vendor's information systems relevant to security,
availability, processing integrity and confidentiality or privacy), make sure there is
a consistent way to follow up with the vendor and take action if necessary
(including terminating the relationship)
Remember that though an organization can have good security without privacy, good
privacy is impossible without good security.
Some vendors are more facile with security questions than with privacy questions. Good
responses for security can be easier to obtain – but keep digging.
15. What Should a Vendor Privacy Management Program Look Like?
15
1. Vendor risk landscape definition
1. Inventory of vendors and their documentation
1. Vendor risk assessment
1. Ongoing monitoring of vendors
1. Policies and procedures
1. Vendor contracts (work with business leaders, procurement and legal)
1. Termination of vendor relationship
16. Best Practices
16
● Involve multiple stakeholders – security, procurement, HR, legal, business owners
● Educate the business
● Insert privacy early in the process
● Establish a clear, easy tracking mechanism – it gets complicated quickly!