Don’t Gamble with Vendor Risk Management
Picture this: You caught wind that the Marketing Department just onboarded a third-party application that shares sensitive organizational data without including your privacy team in the validation process. Data shared includes employee contact information, customer data, and financial information. Your organization signed with an external vendor without due diligence of privacy risks.
Vendor Risk can feel uncomfortable for an organization, and it certainly is easier to assume that “this vendor has done its due diligence and therefore I do not have to worry about it.”
This can bite you, as it has for many other organizations. Governments are cracking down on these partnerships. Demanding that the sharing of data of their citizens be protected and used according to their respective laws and regulations (GDPR, CCPA, PIPL, etc.).
Security breaches are all too common in the headlines today, and it seems to be a matter of when it will occur rather than if. After all, 25% of all global security breaches resulted from “third-party attacks or incidents.” Resulting in an average international cost per data breach reaching $4.24M. Which isn’t pocket change.
Overall, breaches can result in high financial penalties, a loss in company brand perception, loss of trust, and potential lawsuits.
So, to sum up, crossing your fingers and hoping your third-party vendors have put controls in place to mitigate privacy risk is a gamble that could result in disastrous consequences. Your organization needs solid frameworks in place to build a foundational vendor risk management program.
Where is the best place to start?
Deciding what roles to outsource, of course!
That’s right, it all begins with understanding what business activities are best handled by third-party vendors. When writing up request for proposal (RFPs) for prospective vendors, a section should be dedicated entirely to privacy. Construct this section to make it easy for direct comparison with other vendors.
Lastly, it should cover the following topics:
Defining the Vendor Risk Landscape
Each country and jurisdiction use their own laws and regulations regarding data privacy. It’s the role of your vendor risk management program to decide how much risk your organization is willing to take. Once outlined, determine the minimum standards your organization needs to meet.
Risk is a part of doing business, you need to establish guidelines on where that limit exists. Use this to facilitate discussions with potential vendors to see if their appetite is the same.
Creating a Data Flow Inventory Map Across All of Your Vendors
No organization is an island and they all operate with multiple external vendors. Mapping out exactly where all the data flows across your entire vendor network will identify possible overlaps and show opportunities for streamlining & reducing costs.
Merging data flow duplication areas and deleting unnecessary data flows ensures that your organization reduces their exposure to third-party risk.
Data Transfer Risk Assessment
In addition to determining how data flows for all of your vendors within your organization, also assess any data transfer risk based on where your vendors’ systems are hosted and the location of individuals whose data is being processed in order to ensure appropriate safeguards when transferring data internationally.
Ongoing Monitoring of Vendors
As always, nothing stays static for very long, and your organization may need to actively monitor vendor partners for any changes in data risk to the company. Some vendors may even need in-person reviews annually. Leverage and include departments from across the organization to assess all aspects of data risk.
Policies and Procedures
To ensure that your company has oversight, be prepared to share your determined data policies and procedures with your third-party vendors as it pertains both to your customers and vendors. Develop straightforward policies, meeting controls, and have a set of proprietary implementation strategies.
Work with your leaders, procurement, and legal teams to ensure that your contract management system tracks what you need to know from a privacy perspective. Free vendors, or inexpensive ones, generally don’t hit thresholds for procurement or legal review – make sure this is controlled!
Termination of Vendor Relationship
Lastly, all good things must come to an end. Have processes put in place that covers both natural terminations along with terminations for cause. Your business must be prepared to end the relationship if the vendor is non-compliant with data protection and where the risk is high.
So there you have it. Following these 7-steps will set you with stable foundations to build your vendor management program and avoid any non-compliance fines. Of course, there is much more involved when it comes to vendor risk management.