As part of the TrustArc Privacy Insight Series, Director of Consulting at TrustArc, Paul Iagnocco, presented “Managing Risk & Easing the Pain of Vendor Management”. This blog post will give a brief summary of that webinar; you can listen to the entire webinar and download the slides here.
In this webinar, Paul discussed methods and challenges companies face when accessing and evaluating vendors under regulations such as the GDPR, CCPA, Privacy Shield and HIPAA. Under each of these regulations, demonstrating compliance requires vendor management provisions speaking to specific topics such as: documented instructions, technical and organization measures, confidentiality, disclosure, right to audit, and retention periods. Paul stressed the importance of involving key stakeholders (IT, finance, legal, etc.) and how companies should prioritize building relationships with information security teams. Working with that team in particular is important because once a company identifies their existing vendor management approach, it’s key to find where privacy and security can be added and implemented within that cycle.
Shankar Chebbrolu, Enterprise Security Architect at RedHat spoke on his experience using various vendor management methods. Prior to 2016, RedHat used a home-grown approach to vendor management using Google Forms and a ticketing system. In May 2016, RedHat had an auditor assess the way the company was handling risk management, including third party management. Results from the auditor’s report showed RedHat needed to further develop their vendor management system in order to improve their privacy posture. RedHat implemented TrustArc Assessment Manager in February 2017 as a means to assess and minimize their third party risk. Shankar discussed how the robust, out-of-box templates within Assessment Manager, specifically vendor assessment, removed the need for his team to frame vendor questions themselves. As of February 2019, RedHat has completed over 200 vendor assessments using Assessment Manager!
Paul outlined several key takeaways for effective vendor management:
- Identify tools to manage vendor due diligence, whether it be by manual/low-tech or a technology platform approach, while considering long-term versus short-term sustainability
- Conduct privacy assessments (e.g., PTA, PIA and if necessary, DPIA) that addresses vendor’s overall privacy program appropriate to the nature of the information
- Be prepared to demonstrate due diligence – including reporting and individual rights management
- Establish a common repository for all vendor management and data protection initiatives
To learn more about best practices for vendor management, view the on-demand Privacy Insight Series webinar here. Registration is now open for the next webinar in the Privacy Insight Series: “Pragmatic Consent Management: Meeting Compliance and Business Needs.”
The TrustArc Privacy Insight Series is a set of live webinars featuring renowned speakers presenting cutting edge research, tips, and tools. Events are free and feature informative discussions, case studies and practical solutions to today’s tough privacy challenges. Over 20,000 privacy professionals registered for our events in 2018!