Most organizations share personal data with third parties. Perhaps there’s a rare case in the wild in which your organization operates in a silo, but oftentimes you need to onboard vendors to help you get the job done. With that comes a responsibility to document those relationships for compliance with data privacy and security laws.
Under various laws, both state and global, both data controllers and data processors are on the hook. Data controllers have to make sure the data they’re sharing with vendors is handled according to the letter of the law, and data processors have to make sure they’re handling the data shared with them.
But that’s not an easy thing to do. In some cases, dozens or even hundreds of third parties may be involved. How can you ensure you have the appropriate contracts in place with all of those parties, and how can you keep track of whether your vendors are complying with your contract’s provisions over time? After all, even if the vendor initially can prove compliance, it’s possible their business plans evolve and they begin treating data differently than when the contract was signed. Or, they may partner with additional vendors later on, with whom they begin sharing data. And that could change the agreement you’d come to, putting your compliance at risk.
To avoid those kinds of surprises, it’s essential to establish a third-party data-sharing program that mitigates risks from the beginning. Your program should ensure you’ve got a handle on all the parties involved and all the dynamic practices at play. If your management team should ask if you’re mitigating legal compliance risks, you should be able to point to your tracking system and answer questions about your partners’ practices in real time to assuage any concerns. In addition, and even more importantly, if a data protection regulator, attorney general, or the FTC should come knocking on your door, you need to be able to demonstrate compliance and accountability.
TerraTrue’s approach to third-party vendor management
Usually, managing third-party vendors has required manual and repetitive processes, and it’s been difficult to get privacy and security teams involved early. Without that critical communication, it’s impossible to effectively evaluate overall risks. Complicating things further, typical questionnaires list hundreds of questions that may not even be relevant to the particular vendor at hand. As you continue to onboard vendors, managing a thick database of who’s been vetted, approved, or denied can be difficult and frustrating. It’s a significant time suck, and inefficient at that.
TerraTrue provides a single workflow for every review that allows you to track vendors’ responses to surveys so you can evaluate risk in real time. Your data map stays up-to-date, and you can streamline your vendor-management process. In addition, you can layer in TerraTrue’s risk-scoring framework, which allows you to set a threshold for risks as you assess which vendors to work with.
For easy viewing, TerraTrue’s dashboard provides a view of third-party interactions, grouped by category, geography, and product type. It also flags “high-risk” partners, so you can track those vendors closely and monitor changes as they’re made. Plus, the dashboard allows you to instantly view third parties’ current statuses within your framework, whether prospective, active, or rejected. Within the platform, third parties who have completed a data spec and privacy worksheet automatically update a data map.
For more on how to manage third-party vendors, check out our Third-Party Risk Management solution.