Best Practices
Privacy Resources For Vendor Risk Management
Data Privacy Scoping Template
Given the pace and complexity of data protection regulations, Shared Assessments provides a free, scoped Privacy Standardized Information Gathering (SIG) Questionnaire mapped to privacy frameworks. This template helps organizations complete third party data privacy reviews, and is a step towards navigating and addressing data governance in third party relationships.
What is a third party data privacy review?
A third party data privacy review or vendor data privacy review measures the strength of or finds weaknesses in a vendor’s or third party’s data privacy program.
Data Privacy Questions To Ask Vendors
When reviewing a third party’s data privacy posture, questions should cover the vendor’s:
- Data Privacy Program (describes policies, standards and procedures)
- Data Privacy Organization (reveals position designation)
- Privacy Awareness Training (gives understanding of data and records management)
- Privacy Impact Assessments (evidences risk assessment)
- Access by Individuals (clarifies purpose limitation)
- Privacy Notice (measures transparency)
- Use, Retention, and Disposal (covers data de-identification)
- Fourth and Nth Party Management (reveals contracts and agreements)
- Monitoring and Enforcement (describes inquiry, complaint and dispute processes)
Conducting A Third Party Data Privacy Review
The first step in conducting a third party privacy review is to identify and confirm the specific privacy regulatory jurisdictions that are applicable to the client-scoped data, and the services that are in scope for the assessment.
Certain privacy regulations trigger obligations for service providers when the vendor interacts directly with individuals, collects data from the individual, or hosts mobile/web applications.
The Privacy SIG Questionnaire scoping template provides additional filtering questions to identify these scoping attributes and to present additional control questions based on the specific functions that the vendor performs.
Data Privacy Risk Management Framework
Data Privacy is included in all levels of the SIG Questionnaires based on the depth and breadth required for a data protection impact assessment or a privacy-focused third party due diligence.
The SIG Questionnaire provides a set of standardized “filter” privacy questions to streamline this triage process. The SIG Questionnaire presents a set of questions that enable the responder to filter and scope the non-applicable privacy regulations based on the responses. This removes the burden of service providers responding to questions that are out of scope.
The table below shows an overview of the SIG Questionnaire hierarchy:
Data Privacy Resources For Risk Management
The relationship between contracts, vendor management and privacy is strong. Read about the Data Governance in Risk Management here.
Data privacy requirements are evolving quickly. Refresh your knowledge of recently implemented breaches and regulations here.
The United States does not have a single data privacy law – instead it has a mix of laws.
Get insight from experts on how to stay on top of data governance processes for third party risk with specific tips for Schrems II, GDPR, and CCPA. Watch the on-demand webinar here.