Santa Fe Group Third Party Risk expert, Tom Garrubba, recently contributed to Corporate Compliance Insights for his take on the recently released Cisco Data Privacy Benchmark Study
Read the full article.
Those of us in the privacy profession knew it was only a matter of time that privacy-minded organizations would eventually see the benefits of their internal analysis and hard work. Their efforts to refine and/or create policies, procedures, standards and practices that better secure and guard privacy during the handling of their customer’s personally identifiable information are paying off.
Evidence of this came to light in the new Cisco Data Privacy Benchmark Study (January 2019) study published in late January 2019. The study indicates that both outsourcing organizations and service providers are modifying the way they are doing business. Organizations increasingly understand the importance of recent regulations such as the General Data Protection Regulation (GDPR), which mandates protections of the personal data for citizens throughout the EU. This understanding is gaining traction as organizations grapple with similar U.S.-state privacy regulations and guidance, such as the California Consumer Privacy Act (CCPA). From a compliance perspective, this is a breath of fresh air, since organizations are required to provide evidence that they’ve documented (and thus have a handle on) their internal processes and all the hands through which their data passes.
In reviewing the study, I take heart that the respondents’ customers (i.e., outsourcers) are performing proper due diligence as they strive to get a better understanding of how the service providers are (or will be) handling the outsourcer’s customer’s prized data. It appears that these service providers have anticipated the requests from their outsourcers and have built the need for responses into their internal compliance; thus, cutting down on due diligence delays.
These changes lead me to believe that both outsourcers and service providers have gone beyond paraphrasing Alfred E. Neuman (“What, me worry?”) since they’ve begun to see the harsh realities of the often-heavy fines levied for non-compliance. In particular, they’ve taken the privacy (and the related security) mandates of compliance regulations very seriously and are increasingly embedding this type of compliance into their business model.
One part of the Cisco study did raise my brow however; in identifying the “Most significant challenges in getting ready for GDPR,” 42% of the nearly three-thousand respondents reported “Meeting data security requirements,” as the most important. Closer to the bottom of the priority list is Vendor Management. Given the global impacts of major third party breaches over the last three years, third party risk management (TPRM) must be much higher up on the priority list.
The fact is that the security and privacy posture at any organization’s third and “nth” parties who touch personally identifiable information should be as important to the organization as their own security defenses. Outsourcers placing blind faith in their third party partners are almost certainly destined at some point to realize that just because they’ve outsourced the process doesn’t mean they’ve outsourced the risk.
This study is beneficial to organizations and industries of all types in that it evidences the importance of privacy and security compliance within the organization. By taking these concerns seriously, organizations not only create a value add for their customers, they also cover themselves from a compliance perspective by showing that they are conforming to industry best practices and regulations.
A good place to begin to ensure compliance and TPRM goals are being met by all third parties with whom a company is sharing data is through the use of recognized, field-proven best practices and TPRM tools – and ideally, tap into a global “intelligence ecosystem” of risk management professionals whose insight and experience can prove invaluable. One such resource is the member consortium Shared Assessments which produces many free tools used by member and non-member organizations alike.
Sadly, some organizations will fail to embrace important compliance processes and document their understanding by “following the data.” At every phase, from planning a third party risk management program, to building and capturing assessments, to benchmarking and ongoing evaluation of a program, there are TPRM tools that are invaluable for managing risk.
The impacts of third party breaches and lapses have been the stuff of headlines over the last year, and every organization’s shareholders, customers, partners and other stakeholders are taking note. Companies no longer have the luxury of acting like the proverbial ostrich with their head in the sand, oblivious to the compliance perils that third party partners pose.