Regulations, industry standards, and business strategies continue to change, making Data Governance more challenging to implement, particularly with your third party vendors.
Shared Assessments recently hosted a webinar on Data Governance for your TPRM program where Shared Assessments experts shared insights on how to stay on top of data governance processes for third party risk with specific tips for Schrems II, General Data Protection Regulation (GDPR), and California Consumer Privacy Act (CCPA.) The full Data Governance webinar recording and the slide deck from the event are available here. Speakers included:
- John Bree, Chief Evangilist & Chief Risk Officer, Supply Wisdom
- Web Hull, Privacy and Data Protection Officer, Sr Risk and Compliance Analyst, Abacus Insights
- Tom Garrubba, Vice President, Shared Assessments
What is ‘Data’?
Data is “Distinct pieces of information” are formatted and stored in a way that is agreeable with a specific purpose. Data is either quantitative (contains numbers) and/or qualitative (it describes something.)
In third party risk management, data can be personal information including personal identifiable information (PII), protected health information (PHI), card holder data (CHD), or biometric data. Data can also come from company data: financial, pricing, intellectual property, copyrights/patents/trademarks, strategies, confidential information or plans.
Business intelligence data helps you make better decisions, solve problems, understand performance, improve processes, and understand your customers. Other examples of data include email, internal information, and voicemail. Data can be on paper. Even the conversation you have on the subway or elevator could be turned into data.
What is Data Classification?
There are two concepts within Data Classification:
Data Category is based on the identity of the owner of the data or type of data subject. Data Categories might include the following:
A. Business Information
B. Company Information
C. Personal Information
D. Employee Information
E. Information about Minors/Children
Level of Confidentiality is assigned to the database upon a hierarchy in data classification. Level of Confidentiality might include levels such as these:
A. Public
B. Internal
C. Confidential
D. Sensitive
E. Restricted
Data classification needs to be defined within your organization and has to be constantly updated. Data classification is a living process. In terms of contracts, this needs to be communicated to all of your third party vendors. How is data treated? What kind of access control is implemented around data? How is the data processed or stored? What are the audit rights for this data? 4th and Nth parties need to be identified upfront and your third party vendor needs to have their own TPRM program and all terms/conditions laid out and issued to their third parties.
What is Data Governance?
Your organization should have controls to manage the lifecycle of your data. A third party that is entrusted with your organization’s data should have controls to manage the lifecycle of your data – they are an extension of your organization. Assessments focus on data that is involved in the outsourced services, and this data is called “target or scoped” data.
What are the Core Principles of Data Governance?
Data Flows are important principles in data governance. Data flows help define who owns the data – who are the stakeholders? Who generated the information in the first place? Using data flows and maps, you need to be certain of the classification criteria you are following.
Data flows also show where your data is moving. Directions can include internally (Gramm-Leach-Bliley Act or GLBA), externally (GDPR, Schrems II, Standard Contractual Clauses), and up to the cloud.
Data Location Tracking or “Data Mapping” is another important principle in data governance. Data maps should be required at onboarding and updated annually. These mappings should identify backup locations and mark possible cross-border issues or need for transfer authorizations. Data mapping can help identify third party use of subcontractors.
Action Steps For Data Governance
- Put data context into your scoping approach for third party risk.
- Adopt a lifecycle approach for third party risk.
- Build repeatable processes.
- Mature cybersecurity governance and operations.
- Expand legal/regulatory monitoring focus areas.
- Implement tracking and monitoring of Nth Party relationships.
- Strengthen external assurance strategies.
- Enhance management and C-Suite reporting.
- Formalize compliance documentation and artifacts.
- Incorporate data governance tools into your third party risk program.
Conclusion
Third party risk practitioners seeking to mature their third party risk governance should understand the regulatory environment, drivers, and factors that trigger third party risk obligations based on the nature of the outsourced services. This understanding should include both the outsourcer and service provider perspectives.
Evaluating the different classifications of personal information can trigger unique data protection requirements for assessing risk in third party relationships. Interpreting and categorizing the types of risk posed by third parties will help implement a defined and structured TPRM program for managing risk in third party relationships.
Finally, remember that your organization must focus on what regulations want or are looking for.
