No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
    • On-Demand Webinars: Earn CEUs
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
    • On-Demand Webinars: Earn CEUs
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

Exercising Good Privacy and Compliance Judgment

TPRM in the Wake of GDPR

by Tom Garrubba
February 11, 2019
in Data Privacy
fingerprint scan on green background

Cisco has just released a Data Privacy Benchmark Study, revealing that outsourcers are taking seriously their responsibility to protect customers’ data. Tom Garrubba, Senior Director and CISO at Shared Assessments, offers his perspective on third parties’ performance of late.

Those of us in the privacy profession knew it was only a matter of time until privacy-minded organizations would see the benefits of their internal analysis and hard work. Their efforts to refine and/or create policies, procedures, standards and practices that better secure and guard privacy during the handling of their customers’ personally identifiable information are paying off.

Evidence of this came to light in the new Cisco Data Privacy Benchmark Study, published in late January 2019. The study indicates both outsourcing organizations and service providers are modifying the way they are doing business. Organizations increasingly understand the importance of recent regulations such as the General Data Protection Regulation (GDPR), which mandates protections of the personal data for citizens throughout the EU. This understanding is gaining traction as organizations grapple with similar U.S.-state privacy regulations and guidance, such as the California Consumer Privacy Act (CCPA). From a compliance perspective, this is a breath of fresh air, since organizations are required to provide evidence they’ve documented (and thus have a handle on) their internal processes and all the hands through which their data passes.

In reviewing the study, I take heart that the respondents’ customers (i.e., outsourcers) are performing proper due diligence as they strive to get a better understanding of how the service providers are (or will be) handling the outsourcers’ customers’ prized data. It appears that these service providers have anticipated the requests from their outsourcers and have built the need for responses into their internal compliance, thus cutting down on due diligence delays.

These changes lead me to believe that both outsourcers and service providers have gone beyond paraphrasing Alfred E. Neuman (“what, me worry?”) since they’ve begun to see the harsh realities of the often-heavy fines levied for noncompliance. In particular, they’ve taken the privacy (and related security) mandates of compliance regulations very seriously and are increasingly embedding this type of compliance into their business model.

One part of the Cisco study did raise my brow, however; in identifying the “most significant challenges in getting ready for GDPR,” 42 percent of the nearly 3,000 respondents reported “meeting data security requirements” as the most important. Closer to the bottom of the priority list is vendor management. Given the global impacts of major third-party breaches over the last three years, third-party risk management (TPRM) must be much higher up on the priority list.

The fact is that the security and privacy posture at any organization’s third and “nth” parties who touch personally identifiable information should be as important to the organization as their own security defenses. Outsourcers placing blind faith in their third-party partners are almost certainly destined at some point to realize that just because they’ve outsourced the process doesn’t mean they’ve outsourced the risk.

This study is beneficial to organizations and industries of all types in that it evidences the importance of privacy and security compliance within the organization. By taking these concerns seriously, organizations not only create a value add for their customers, they also cover themselves from a compliance perspective by showing that they are conforming to industry best practices and regulations.

A good place to begin to ensure compliance and TPRM goals are being met by all third parties with whom a company is sharing data is through the use of recognized, field-proven best practices and TPRM tools – and ideally, tapping into a global “intelligence ecosystem” of risk management professionals whose insight and experience can prove invaluable. One such resource is the member consortium Shared Assessments, which produces many free tools used by member and nonmember organizations alike.

Sadly, some organizations will fail to embrace important compliance processes and document their understanding by “following the data.” At every phase, from planning a third-party risk management program to building and capturing assessments to benchmarking and ongoing evaluation of a program, there are TPRM tools that are invaluable for managing risk.

The impacts of third-party breaches and lapses have been the stuff of headlines over the last year, and every organization’s shareholders, customers, partners and other stakeholders are taking note. Companies no longer have the luxury of acting like the proverbial ostrich with their head in the sand, oblivious to the compliance perils that third-party partners pose.


Tags: California Consumer Privacy Act (CCPA)GDPRPersonally Identifiable Information (PII)Third Party Risk Management
Previous Post

Financial Sector Transformations Ahead

Next Post

Inherently Risky (but Brilliant) Interactive Digital Marketing Strategies

Tom Garrubba

Tom Garrubba

Tom Garrubba is Senior Director and CISO at Shared Assessments. Tom is an experienced professional in IT risk and information controls, most recently in developing, maintaining and consulting on third-party risk (TPR) programs for Fortune 100 companies. He is an internationally recognized subject matter expert and top-rated speaker on third-party risk.

Related Posts

wall of filing cabinets holding private information

Wave of State Data Protection Laws Is a Gathering Compliance Nightmare

by Scott Allendevaux
September 26, 2023

In absence of a single national data privacy law, companies continue to face a multi-state balancing act. Data privacy practitioner...

data privacy on bumper sticker

A National Privacy Law Doesn’t Appear on the Near-Horizon in the US. Globally, It’s a Different Story.

by Kevin Coy and Erin Doyle
August 8, 2023

International law around data privacy continues to evolve as jurisdictions around the world seek to develop and refine their regulatory...

small plant budding in cracked soil

Globally, Regulators Are Making It Clear: FinServ Firms Must Become Resilient

by Rich Cooper
July 24, 2023

The relentless upheaval of the past few years has uniquely affected the global financial services sector. And regulators are responding....

CPRA delayed

Companies Get Partial CPRA Reprieve, But Don’t Break Out the Party Hats Yet

by Jason Patel
July 19, 2023

An 11th-hour court decision delayed some aspects of the California Privacy Rights Act by more than six months, but data...

Next Post
intelligent digital signage

Inherently Risky (but Brilliant) Interactive Digital Marketing Strategies

Available SQ
New call-to-action

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment Sanctions SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2023 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
    • On-Demand Webinars: Earn CEUs
  • Subscribe

© 2023 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT