Exercising Good Data Privacy and Compliance Judgement
Those of us in the privacy profession knew it was only a matter of time that privacy-minded organisations would eventually see the benefits of their internal analysis and hard work. Their efforts to refine and/or create policies, procedures, standards and practices that better secure and guard privacy during the handling of their customer’s personally identifiable information are paying off.
Evidence of this came to light in the new Cisco Data Privacy Benchmark Study (January 2019) published in late January 2019. The study indicates that both outsourcing organisations and service providers are modifying the way they are doing business. Organisations increasingly understand the importance of recent regulations such as the General Data Protection Regulation (GDPR), which mandates protections of the personal data for citizens throughout the EU. This understanding is gaining traction as organisations grapple with similar U.S.-state privacy regulations and guidance, such as the California Consumer Privacy Act (CCPA). From a compliance perspective, this is a breath of fresh air, since organisations are required to provide evidence that they’ve documented (and thus have a handle on) their internal processes and all the hands through which their data passes.
In reviewing the study, I take heart that the respondents’ customers (i.e., outsourcers) are performing proper due diligence as they strive to get a better understanding of how the service providers are (or will be) handling the outsourcer’s customer’s prized data. It appears that these service providers have anticipated the requests from their outsourcers and have built the need for responses into their internal compliance; thus, cutting down on due diligence delays.
These changes lead me to believe that both outsourcers and service providers have gone beyond paraphrasing Alfred E. Neuman (“What, me worry?”) since they’ve begun to see the harsh realities of the often-heavy fines levied for non-compliance. In particular, they’ve taken the privacy (and the related security) mandates of compliance regulations very seriously and are increasingly embedding this type of compliance into their business model.
One part of the Cisco study did raise my brow however; in identifying the “Most significant challenges in getting ready for GDPR,” 42% of the nearly three-thousand respondents reported “Meeting data security requirements,” as the most important. Closer to the bottom of the priority list is Vendor Management. Given the global impacts of major third party breaches over the last three years, third party risk management (TPRM) must be much higher up on the priority list.
The fact is that the security and privacy posture at any organisation’s third and “nth” parties who touch personally identifiable information should be as important to the organisation as their own security defenses. Outsourcers placing blind faith in their third party partners are almost certainly destined at some point to realise that just because they’ve outsourced the process doesn’t mean they’ve outsourced the risk.
This study is beneficial to organisations and industries of all types in that it evidences the importance of privacy and security compliance within the organisation. By taking these concerns seriously, organisations not only create a value add for their customers, they also cover themselves from a compliance perspective by showing that they are conforming to industry best practices and regulations.
A good place to begin to ensure compliance and TPRM goals are being met by all third parties with whom a company is sharing data is through the use of recognised, field-proven best practices and TPRM tools – and ideally, tap into a global “intelligence ecosystem” of risk management professionals whose insight and experience can prove invaluable. One such resource is the member consortium Shared Assessments which produces many free tools used by member and non-member organisations alike.
Sadly, some organisations will fail to embrace important compliance processes and document their understanding by “following the data.” At every phase, from planning a third party risk management program, to building and capturing assessments, to benchmarking and ongoing evaluation of a program, there are TPRM tools that are invaluable for managing risk.
The impacts of third party breaches and lapses have been the stuff of headlines over the last year, and every organisation’s shareholders, customers, partners and other stakeholders are taking note. Companies no longer have the luxury of acting like the proverbial ostrich with their head in the sand, oblivious to the compliance perils that third party partners pose.
About the Author
Shared Assessments Senior Director and CISO, Tom Garrubba, is an experienced professional in IT risk and information controls, most recently in developing, maintaining, and consulting on third party risk (TPR) programs for Fortune 100 companies. He is an internationally recognised subject matter expert and top-rated speaker on third party risk.
This article is shared with the kind permission of Shared Assessments.