Spotlight on Data Governance – Data Privacy and Third Party Risk in 2021

At this year’s annual Shared Assessments Program Summit, Program Advisory Board and Board Risk Committee Members Linnea Solem and Adam Stone led a Privacy Breakout session on critical privacy and data governance developments in 2021 and the components most critical to effective third party risk management.

The numbers told a story from Keynote speakers, panelists to discussion. 60 world-wide jurisdictions have introduced privacy regulations since GDPR. Gartner reports that by 2023, 65% of the world’s population will have its personal data covered under modern privacy regulations, up from 10% in 2020.  If proposed state privacy laws pass, 57% of the U.S. could soon be covered with new privacy rules. 61% of businesses surveyed thought that data privacy regulations improved customer trust.

Here are the critical themes that emerged from our Spotlight on Data Governance for Data Privacy and Third Party Risk in 2021:

Schrems II & Brexit

The EU Court ruling that invalidated Privacy Shield as an approved transfer mechanism is known as Schrems II. Many organizations relied on the self-assessment aspect of this method to enable cross border data access, a critical complexity factor in third party risk.  The European Data Protection Board (EDPB) has drafted guidance and enhanced Standard Contractual Clauses (SCCs) that will need to be executed between outsourcers (Data Controllers) and third parties (Data Processors). Once finalized organizations will need to update data inventories; conduct additional due diligence of third parties; and update contractual provisions across third party relationships by the enforcement date.  The exit of the UK from the EU known as “Brexit” adds another layer of operational challenge to these action steps.

Data Inventories

Organizations invest significant time and resources developing and maintaining inventories of data flows. Beyond their regulatory compliance obligations, few firms position themselves to exploit the value these inventories. Further, many organizations fail to identify data flows beyond their third-party relationships. This approach ignores onward flows of data to and from fourth parties, creating an awareness gap and exposing firms to potential downstream liability.

Data Access Requests

GDPR and CCPA put further definition to the rights of individuals to access and manage how their data is collected, used, disclosed, or retained. In many business models the fulfillment of data subject request requires contractual expectations for fulfillment between the outsourcer and the service provider. The disclosure of data to third parties and the extended supply chain increases the operational burden to manage these requests.

Risk Assessments

The outcome of the “Schrems II” decision amplifies the need to concentrate on privacy-focused risks emanating from third-party relationships. In particular, organizations struggle to understand the legal and operational threats and vulnerabilities associated with sharing personal data with service providers and suppliers. The Schrems II decision forces US-based firms – once reliant on the Privacy Shield program – must now seek alternative approaches to managing risks associated with overseas transfers of personal data from the European Union.

Tracking Disclosures to 3rd Parties

Aside from US-based firms subject to Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations, few drivers exist to incentivize organizations to account for disclosures of personal data to third-parties. As international privacy law evolves, other business segments face the challenge of tracking third-party disclosures and making this information available to data subjects upon request.

Purpose/Processing Limitations

As the Covid-19 pandemic forced organizations to expand reliance on third-party service providers for a wide-array of business needs, an emerging privacy challenge arises. Despite contractual assurances from third-parties, some firms discover that these service providers fail to enforce restrictions on secondary uses of personal data. This tends to occur more frequently with service providers who lack the sophistication or resources to understand their processing limitations.


Data privacy leverages data classification structures to navigate the rules based on the sensitivity of the data. Beyond security, data protection safeguards focus on usage of the data. Similar to the focus of using test data in software development, organizations can reduce privacy risk by deploying techniques that mask, sanitize or de-identify the data so it cannot be traced back to the identity of an individual.  Using these techniques requires strong data governance programs to manage the policies, standards, and procedures including testing of the effectiveness of the controls.


Regulators in the western world continue to scrutinize the quality of “cookie notices” used by organizations to provide a degree of transparency to website visitors. At the same time, both regulators and industry groups predict the demise of invasive third-party cookies in favor of a more ethical and transparent approach to leveraging online advertising technologies.

ePrivacy Ecosystem

The focus on Digital Marketing, the Internet of Things and all aspects of electronic privacy continue to challenge balancing the integration of privacy rights, preferences, and the interconnected nature of the technology providers and platforms. The EU has proposed multiple versions of its’ ePrivacy Regulation, Network Advertising Trade Associations have published self-regulatory principles, and technology specifications have been outlined to address CCPA. For third party risk, the challenge is identifying these relationships and validating the practices across each party in the service.

Private Right of Action

GDPR created the “Hot Topic” of a fine that could be applied up to 4% of a company’s total turn or overall revenue not just the specific line of business that had the compliance failure. In the U.S. Privacy and Third Party Risk contain an element of assessing fiduciary liability based on the standard of care, enabling individuals to have a litigation recourse.  U.S. State regulations that include this right are growing prompting momentum to create a Federal Level Privacy regulation to avoid the checkerboard of conflicting state level rules.

Bottom line, this 2021 Top Themes from the Privacy Breakout will only be the starting point of the conversation for privacy and third party risk professionals. The common connector between all of these privacy developments is the spotlight on data governance. As frameworks converge Privacy and Security into common control frameworks, the tools used in third party risk management will need to evolve, adapt, and unify.