Each year on January 28th, the world celebrates Data Privacy Day (DPD), led by the National Cyber Security Alliance in North America. This international effort creates awareness about the importance of respecting privacy, safeguarding data, and enabling trust. The focus this year is on the value of information. Whether you look at data privacy from an individual point of view, or from the lens of the business that is collecting, using, and storing personal data, remember:

Personal Information is like money. Value it. Protect it.

Last year the focus on Data Privacy was on readiness for the EU General Data Protection Regulation and the implications that emerged following the social media testimony in Congress on data sharing. This year, the spotlight is on the new California Consumer Privacy Act. In each of these areas, there is an impact to vendor management that is driving a new era for third party risk governance.

If personal information is like money – then we need to treat that asset with the same level of value and protection if it is stored in our own privacy piggy bank, or in the locked vault of a vendor or service provider. Let’s put the numbers into perspective:

• 66% of U.S. consumers want companies to earn their trust by being more open and transparent with how their information is being used
• In a survey by Blue Fountain Media, web users surveyed that they overwhelmingly objected to how their information is being shared with and used by third-party vendors. 90% of those polled were very concerned with internet privacy.
• A PwC survey found that only 52% of U.S. companies that will need to comply with the CCPA expect to be compliant by January 2020.

The Shared Assessments Program Vendor Risk Management Maturity Model was updated for release in 2019 to include the heightened expectations driven by new privacy regulations, high profile data breaches and updated external audit standards. The 2018 Shared Assessments Program and Protiviti Vendor Risk Management Benchmark study used the expanded maturity model. Early highlights of the 2018 were shared with Shared Assessments Program Members this past month. In the latest Shared Assessments Program and Protiviti Vendor Risk Management Benchmark study 55% of organizations surveyed indicated they were likely to “de-risk” or move away from high risk third-party relationships in the next 12 months, up 2% from the previous year. Further, considering all six privacy related measures in the survey, fully 43% of those surveyed had either fully functional or advanced privacy practices in place, the second highest result of any focus area in the survey. 22% of respondents reported they had only ad-hoc privacy practices in place and 9% had no active privacy efforts.

Both GDPR and CCPA drive the need for enhanced data governance strategies, including data flows, data maps and data inventories. Whether the data is stored locally or at a third- party service provider, the data must be protected. International Privacy regulations will continue to advance triggering the need to continually assess the effectiveness of each third party risk governance program for new privacy requirements.

Key steps in building your third-party risk roadmap for privacy protection:

• Update vendor classification, scoping, and inventories for third party relationships
• Enhance contract provisions for the protection and usage of data
• Maintain a data inventory to manage and process data access requests
• Broaden due diligence processes for assessing and identifying corrective actions of third parties
• Deploy effective ongoing monitoring of vendor relationships
• Maintain documentation of processing of the personal data
• Understand data transfers and authorizations at both third and fourth parties

While the numbers seem daunting, given the pace of technology and complexity of third-party relationships, there are action steps service provider organizations can take to mature their internal processes for third party risk governance.

3 Action Steps to take in 2019:

• • 1. Develop a Roadmap for maturing your third-party risk governance program: Benchmark your organization’s third-party risk governance program by downloading and using the 2019 version of the Shared Assessments Program Vendor Risk Management Maturity Model
    2. Expand data governance tracking tools to protect personal data: Download the Free privacy templates in the Shared Assessments GDPR tools. The Target Data Tracker template can enable your organization to document the tracking of target data by third and fourth parties to address the broader third party and data transfer obligations driven by privacy regulations.
    3. Enhance your Training and Awareness Program: Leverage the free resources for data privacy at https://staysafeonline.org/resources/

In today’s market landscape, all organizations utilize third party relationships to run and operate their business. Ensuring that the right privacy protections are in place in your third-party risk governance program demonstrates your commitment to treat your client’s privacy data as your own.
Protecting data in your Privacy Piggy Bank is important not just on Data Privacy Day, but every day!

Personal Information is like money. Value it. Protect it.

#PrivacyAware