TPRM in the Wake of GDPR
Cisco has just released a Data Privacy Benchmark Study, revealing that outsourcers are taking seriously their responsibility to protect customers’ data. Tom Garrubba, Senior Director and CISO at Shared Assessments, offers his perspective on third parties’ performance of late.
Those of us in the privacy profession knew it was only a matter of time until privacy-minded organizations would see the benefits of their internal analysis and hard work. Their efforts to refine and/or create policies, procedures, standards and practices that better secure and guard privacy during the handling of their customers’ personally identifiable information are paying off.
Evidence of this came to light in the new Cisco Data Privacy Benchmark Study, published in late January 2019. The study indicates both outsourcing organizations and service providers are modifying the way they are doing business. Organizations increasingly understand the importance of recent regulations such as the General Data Protection Regulation (GDPR), which mandates protections of the personal data for citizens throughout the EU. This understanding is gaining traction as organizations grapple with similar U.S.-state privacy regulations and guidance, such as the California Consumer Privacy Act (CCPA). From a compliance perspective, this is a breath of fresh air, since organizations are required to provide evidence they’ve documented (and thus have a handle on) their internal processes and all the hands through which their data passes.
In reviewing the study, I take heart that the respondents’ customers (i.e., outsourcers) are performing proper due diligence as they strive to get a better understanding of how the service providers are (or will be) handling the outsourcers’ customers’ prized data. It appears that these service providers have anticipated the requests from their outsourcers and have built the need for responses into their internal compliance, thus cutting down on due diligence delays.
These changes lead me to believe that both outsourcers and service providers have gone beyond paraphrasing Alfred E. Neuman (“what, me worry?”) since they’ve begun to see the harsh realities of the often-heavy fines levied for noncompliance. In particular, they’ve taken the privacy (and related security) mandates of compliance regulations very seriously and are increasingly embedding this type of compliance into their business model.
One part of the Cisco study did raise my brow, however; in identifying the “most significant challenges in getting ready for GDPR,” 42 percent of the nearly 3,000 respondents reported “meeting data security requirements” as the most important. Closer to the bottom of the priority list is vendor management. Given the global impacts of major third-party breaches over the last three years, third-party risk management (TPRM) must be much higher up on the priority list.
The fact is that the security and privacy posture at any organization’s third and “nth” parties who touch personally identifiable information should be as important to the organization as their own security defenses. Outsourcers placing blind faith in their third-party partners are almost certainly destined at some point to realize that just because they’ve outsourced the process doesn’t mean they’ve outsourced the risk.
This study is beneficial to organizations and industries of all types in that it evidences the importance of privacy and security compliance within the organization. By taking these concerns seriously, organizations not only create a value add for their customers, they also cover themselves from a compliance perspective by showing that they are conforming to industry best practices and regulations.
A good place to begin to ensure compliance and TPRM goals are being met by all third parties with whom a company is sharing data is through the use of recognized, field-proven best practices and TPRM tools – and ideally, tapping into a global “intelligence ecosystem” of risk management professionals whose insight and experience can prove invaluable. One such resource is the member consortium Shared Assessments, which produces many free tools used by member and nonmember organizations alike.
Sadly, some organizations will fail to embrace important compliance processes and document their understanding by “following the data.” At every phase, from planning a third-party risk management program to building and capturing assessments to benchmarking and ongoing evaluation of a program, there are TPRM tools that are invaluable for managing risk.
The impacts of third-party breaches and lapses have been the stuff of headlines over the last year, and every organization’s shareholders, customers, partners and other stakeholders are taking note. Companies no longer have the luxury of acting like the proverbial ostrich with their head in the sand, oblivious to the compliance perils that third-party partners pose.