Given the pace and complexity of data protection regulations, Shared Assessments provides a free, scoped Privacy Standardized Information Gathering (SIG) Questionnaire mapped to privacy frameworks. This template helps organizations complete third party data privacy reviews, and is a step towards navigating and addressing data governance in third party relationships.
A third party data privacy review or vendor data privacy review measures the strength of or finds weaknesses in a vendor’s or third party’s data privacy program.
When reviewing a third party’s data privacy posture, questions should cover the vendor’s:
The first step in conducting a third party privacy review is to identify and confirm the specific privacy regulatory jurisdictions that are applicable to the client-scoped data, and the services that are in scope for the assessment.
Certain privacy regulations trigger obligations for service providers when the vendor interacts directly with individuals, collects data from the individual, or hosts mobile/web applications.
The Privacy SIG Questionnaire scoping template provides additional filtering questions to identify these scoping attributes and to present additional control questions based on the specific functions that the vendor performs.
Data Privacy is included in all levels of the SIG Questionnaires based on the depth and breadth required for a data protection impact assessment or a privacy-focused third party due diligence.
The SIG Questionnaire provides a set of standardized “filter” privacy questions to streamline this triage process. The SIG Questionnaire presents a set of questions that enable the responder to filter and scope the non-applicable privacy regulations based on the responses. This removes the burden of service providers responding to questions that are out of scope.
The table below shows an overview of the SIG Questionnaire hierarchy:
The relationship between contracts, vendor management and privacy is strong. Read about the Data Governance in Risk Management here.
Data privacy requirements are evolving quickly. Refresh your knowledge of recently implemented breaches and regulations here.
The United States does not have a single data privacy law – instead it has a mix of laws.
Get insight from experts on how to stay on top of data governance processes for third party risk with specific tips for Schrems II, GDPR, and CCPA. Watch the on-demand webinar here.