Understand and Mitigate Your Vendor Privacy Risks

While working with vendors and third parties is an inherent part of doing business and they provide tremendous value and opportunity – vendors also present significant risks. These risks are of growing concern, particularly when it comes to data privacy and security. Forrester states, “The repercussions of security incidents across the value chain, as well as the EU General Data Protection Regulation’s (GDPR’s) more stringent compliance requirements, make managing third-party risk a top priority for S&R [security and risk] pros.1

And you don’t have to look far to find examples in the news of data breaches that vendors caused. Forrester research also found, as shown in the below Figure 1, that third-party attack or incident caused 21% of confirmed security breaches in 2018.2

Additionally, the cost of data breaches is estimated by Ponemon to be between $750,000 and $35 million3 with the global average cost in 2018 at $3.86 million and increasing each year.4 On top of the monetary costs for fines related to a breach, it’s important to consider other critical factors in calculating the true cost of a breach. For example, these may include damage to the company’s brand, loss of trust with customers and potential lawsuits and regulatory actions following breaches.

In addition, privacy laws and regulations have specific provisions that address vendors and extend companies’ data privacy obligations throughout their supply chains. Whether you are focused on GDPR, the California Consumer Privacy Act (CCPA), Health Insurance Portability and Accountability Act (HIPAA), EU Privacy Shield or a combination of different frameworks, one of the most important components of your privacy and security risk management program is to understand how your vendors are handling your data and whether they too can maintain compliance.

The privacy experts at TrustArc recommend that you expand your vendor management approach to address privacy and security. It’s important that your vendors:

  • Demonstrate privacy and data protection awareness from the beginning of the relationship
  • Complete privacy and security assessments
  • Comply with regulatory and internal privacy and security governance
  • Implement and maintain terms of a Data Processing Agreement (DPA)

In addition, the TrustArc Vendor Risk Management solution provides a centralized place and method to collect, maintain and track critical data for ongoing vendor management. The solution, powered by the TrustArc Platform, enables companies to assess vendors, evaluate and monitor vendor risk, track vendor status and report on key compliance metrics. Our experienced privacy consultants are available to help you understand your regulatory environment and risks; design your vendor management program; define your risk scoring model and vendor prioritization; develop policies and procedures and more.

To learn more about how to minimize vendor risk, vendor management best practices and how to build a successful vendor management program read our Vendor Risk Management Guide.

To learn more about the TrustArc Vendor Risk Management solution, visit www.trustarc.com/products/vendor-risk-management/

[1] Manage Third-Party Risk to Achieve and Maintain GDPR Compliance. Forrester. April 2018.

[2] The State Of Data Security And Privacy: 2018 To 2019. Forrester. December 2018.

[3] Royal, K. Third-Party Vendor Management Means Managing Your own Risk. iapp.org.

[4] Shepard, Sydny. The Average Cost of a Data Breach. Security Today. July 17, 2018.


Upcoming Webinar – Pragmatic Consent Management: Meeting Compliance and Business Needs


TrustArc is proud to present the next Privacy Insight Series webinar “Pragmatic Consent Management: Meeting Compliance and Business Needs” with TrustArc Consulting Program Director Margaret Alston and TrustArc Senior Privacy Consultant Jim Keese. This webinar will take place this Wednesday, March 20th at 9am PT / 12pm ET / 5pm GMT. Don’t miss this opportunity to learn more about managing consent – register today!

As the dust settles on the first wave of GDPR implementation initiatives, businesses are left with a multitude of questions. Is implementing a simple cookie banner enough? How can I manage consents across multiple systems? How can I ensure our policies are being implemented? Do I really need a “Do Not Sell” button to comply with CCPA? Will all this change under the ePrivacy Regulation anyway? What kind of records do I need if a regulator asks?

As a privacy professional or a marketer, you’re responsible for advising the business and working through the realities of balancing compliance with ongoing demand for data-driven insights and growth. Join this webinar for a playbook of key tips and guidance to help you juggle these requirements with ease and understand what’s required and what’s open to interpretation.

This webinar will outline:

  • Consent requirements under key regulations including GDPR and CCPA
  • Key considerations and decisions for the business to take
  • Tools to support universal consent management

Can’t make it? Register anyway – we’ll automatically send you an email with both the slides and recording after the webinar! Click here for answers to the most commonly asked webinar related questions.

The TrustArc Privacy Insight Series is a set of live webinars featuring renowned speakers presenting cutting edge research, tips, and tools. Events are free and feature informative discussions, case studies and practical solutions to today’s tough privacy challenges. Over 20,000 privacy professionals registered for our events in 2018!

Privacy Insight Series Webinar Recap: Managing Risk & Easing the Pain of Vendor Management


As part of the TrustArc Privacy Insight Series, Director of Consulting at TrustArc, Paul Iagnocco, presented “Managing Risk & Easing the Pain of Vendor Management”.  This blog post will give a brief summary of that webinar; you can listen to the entire webinar and download the slides here.

In this webinar, Paul discussed methods and challenges companies face when accessing and evaluating vendors under regulations such as the GDPR, CCPA, Privacy Shield and HIPAA. Under each of these regulations, demonstrating compliance requires vendor management provisions speaking to specific topics such as: documented instructions, technical and organization measures, confidentiality, disclosure, right to audit, and retention periods. Paul stressed the importance of involving key stakeholders (IT, finance, legal, etc.) and how companies should prioritize building relationships with information security teams. Working with that team in particular is important because once a company identifies their existing vendor management approach, it’s key to find where privacy and security can be added and implemented within that cycle.

Shankar Chebbrolu, Enterprise Security Architect at RedHat spoke on his experience using various vendor management methods. Prior to 2016, RedHat used a home-grown approach to vendor management using Google Forms and a ticketing system. In May 2016, RedHat had an auditor assess the way the company was handling risk management, including third party management.  Results from the auditor’s report showed RedHat needed to further develop their vendor management system in order to improve their privacy posture. RedHat implemented TrustArc Assessment Manager in February 2017 as a means to assess and minimize their third party risk. Shankar discussed how the robust, out-of-box templates within Assessment Manager, specifically vendor assessment, removed the need for his team to frame vendor questions themselves. As of February 2019, RedHat has completed over 200 vendor assessments using Assessment Manager!  

Paul outlined several key takeaways for effective vendor management:

  • Identify tools to manage vendor due diligence, whether it be by manual/low-tech or a technology platform approach, while considering long-term versus short-term sustainability
  • Conduct privacy assessments (e.g., PTA, PIA and if necessary, DPIA) that addresses vendor’s overall privacy program appropriate to the nature of the information
  • Be prepared to demonstrate due diligence – including reporting and individual rights management
  • Establish a common repository for all vendor management and data protection initiatives

To learn more about best practices for vendor management, view the on-demand Privacy Insight Series webinar here. Registration is now open for the next webinar in the Privacy Insight Series: “Pragmatic Consent Management: Meeting Compliance and Business Needs.”

The TrustArc Privacy Insight Series is a set of live webinars featuring renowned speakers presenting cutting edge research, tips, and tools. Events are free and feature informative discussions, case studies and practical solutions to today’s tough privacy challenges. Over 20,000 privacy professionals registered for our events in 2018!

TrustArc Essential Guide to the California Consumer Privacy Act (CCPA)


This guide distills the California Consumer Privacy Act (CCPA) into distinct phases to help a business achieve and then maintain compliance. The guide is designed for professionals across a wide range of functions who will be impacted by the CCPA.

Before building a program, TrustArc suggests that companies review with legal counsel all applicable privacy compliance regulations or frameworks with which your company will have to comply. Finding commonalities between the requirements and controls will allow a company to find overlap between the obligations, and then adjust for any differences, rather than having completely separate programs.

One example of a requirement that is new for CCPA is the “look back” period. Therefore, your budget should take into account supplying your team with the resources necessary to address the requirements around access, accounting of disclosures, and transparency requirements. For example, companies will have to identify any personal information previously collected by the business about the consumer for the past 12 months, so the process should ensure that business processes that collect personal information are recorded in a data inventory. A company will need to be able to identify the type of personal information being collected; there are 11 categories enumerated in the CCPA and the company would have to choose the one that most closely describes the personal information. The company will also need to know why it collected the personal information (the purpose); which categories of personal information were sold; and which categories were disclosed for a business purpose. Keeping up-to-date and detailed records will be key.

To learn more about CCPA requirements and how to leverage your existing privacy program, download your copy of the CCPA Essential Guide now.

TrustArc at IAPP CCPA Comprehensive 2019 – Event Recap


This week TrustArc had a strong presence at the IAPP CCPA Comprehensive 2019 in Fremont, California. The day was filled with panels of experts discussing the scope of the California Consumer Privacy Act (CCPA), definitions of key terms, and overlap with the General Data Protection Regulation (GDPR). The panels also offered a “stump the panelists” session where attendees were able to ask about the real-life challenges companies are facing today.


In addition to the great discussions, there were also ample opportunities for networking and meeting with solution providers. TrustArc had many conversations with companies about our CCPA solutions.

Some key takeaways were:

  • Companies that did not have to comply with GDPR are now gearing up to comply with CCPA.
  • With regard to data subject access requests, companies should reach consensus internally about how requests will be verified, answered, and tracked. For example, will data subject requests be fulfilled electronically or in hard copy?
  • Stakeholders should be aware of and reach consensus on whether the company will use a uniform policy and vendor agreements, or separate policies.
  • Conversations on deciding how to address the “Do Not Sell My Personal Information” requirement should start now, if they haven’t already, because implementing the controls may take some time to operationalize.
  • Companies can leverage CCPA efforts to comply with the GDPR.

To learn more about how TrustArc expert privacy consultants, and TrustArc Platform can help your company reach CCPA compliance, schedule a consultation today!

Managing Compliance with Privacy Assessments


No matter what industry you are in, the size of your organization, or the maturity of your privacy program, conducting regular privacy assessments is important to understand and ensure compliance. Privacy assessments need to address a wide range of legal requirements and best practices and will help build an action plan to identify gaps and define and manage remediation activities.

When assessments align with pertinent global privacy laws, they provide a structure for gathering information necessary to determine compliance successes and gaps. They also help companies predict trends, assign resources appropriately, and resolve the right issues. Stakeholders participating in the assessment process typically learn from the experience and become more engaged and educated about privacy. Finally, a historical set of assessment results can demonstrate a company’s progress along its privacy compliance journey.

TrustArc has a wealth of data from numerous privacy research studies conducted over the past several years. These studies have gauged consumer attitudes, actions, and the impact that data privacy management has had on businesses. TrustArc has also conducted research studies to provide companies with guidance on common questions including how to handle internal privacy practices, as well as appropriate budgeting and planning.


TrustArc and IAPP released the findings of the “Measuring Privacy Operations” research study. The study examined the current state of privacy program management. The research shows that critical privacy program activities such as creating data inventories, conducting data protection impact assessments (DPIA), and managing data subject access requests (DSAR) are now well established in large and small organizations in both Europe and the United States.

Some key findings about assessments are:

  • DPIAs are the most common type of privacy assessments
  • 75% of respondents subject to the GDPR report they have completed one or more Data Protection Impact Assessments (DPIA).
  • 46% use technology tools for DPIA management, including 20% who use a specialized software solution; only 47% continue to use a manual process, down from 66% two years ago.
  • DPIAs, Privacy Impact Assessments (PIAs), and Vendor / Third Party Risk are the most popular type of privacy assessments, and are used significantly more often than popular security assessments such as ISO 27001 and NIST.

TrustArc offers a broad range of solutions to help companies build and manage a privacy program. TrustArc offers self-service and managed service offerings to address a wide range of privacy compliance requirements. To learn more, download the “Managing Compliance with Privacy Assessments” here.