Last week at the Shared Assessments Annual Summit on third party risk, I had the chance to co-facilitate a half-day workshop on The Pivot to Codification of Best Practices of Third Party Risk Management Best Practices, plus moderate a discussion panel on the current privacy landscape. Not surprising that GDPR was top of mind for many of the over 300 third party risk professional attendees, but so was digital privacy a topic not often deeply discussed when addressing the tenets of third party oversight. But, as risk professionals know, timing is everything. Having a third-party risk summit in Washington D.C during testimony by Facebook Inc. CEO Mark Zuckerberg, made for lively and thought-provoking dialog by participants.
While the starting point of the dialog was on the state of GDPR readiness, the overarching themes started to emerge in a broader context. So, let’s get the GDPR discussion out of the way, and the tipping point we experienced in our workshop and panel.
Five things on GDPR
- GDPR enforcement is close – the grace period is ending
- GDPR is complex due to unintended consequences
- There are no simple guarantees to determine if your vendors are GDPR compliance
- Following the data daisy chain is daunting to determine GDPR scope
- It’s a cloudy legal environment – GDPR guidelines require context and interpretation
The dialog on data maps, data protection impact assessments, data transfers, breach notification, and subcontractors are familiar concepts to most Information Technology, Security, and Risk Professionals. Whether requirements are coming from GDPR, OCC, NY DFS Section 500 or SEC Cybersecurity Disclosure Guidance, the expectations for maturing third party risk oversight are maturing along common themes.
The hype on GDPR has been the fear in the C-Suite of the potential for 4% fines and the burden it will place on many organizations to address new obligations. However, GDPR constructs of Data Controller” and “Data Processor” roles are becoming a more accepted framework internationally when looked at from the data subject point of view. Implementing data portability and the right to be forgotten are absolutely requirements focused on the rights of the data subject. At its core, GDPR is all about privacy rights, which is beyond a compliance checklist, but speaks to the culture and ethics of organizations. Focusing on only meeting the “legal” obligation vs. what is “right” thing to do can be short sighted.
Many organizations may be missing an opportunity to treat GDPR readiness as an opportunity to affirm customer trust. Transparency and disclosure of consumer privacy rights should not be simply looked at as a compliance burden, but an opportunity to send a positive message to customers. Don’t let the customer or data subject become the last area of focus in your readiness and GDPR program management plan.
The consumer theme became even more apparent due to the serendipity of having risk management sessions amid congressional Facebook, Inc. testimony. The questioning on data sharing and usage disclosures requires looking at this not only from an organizational but consumer’s rights point of view. While the audience makeup was more technology savvy than other conferences I have attended, it was sadly amusing to see how little some of our D.C. legislators knew about how social media works. Data sharing platforms are designed to deliver customized content. The purpose of the platform is about collecting and using data to sell content and provide a consumer application. Customization can’t occur without collecting and using elements of data. The concept of consent and how it is obtained I think will be the broader implication to reconciling U.S. Privacy Law and EU based models.
We are living in a mobile world that is becoming even more digitally connected, with layers of third party relationships involved in the internet ecosystem. That genie is out of the bottle to use a tired expression, but now that genie is in the cloud, and there is not any going back to the days of analog.
Five things on Digital Privacy
- Make sure that social media/web marketing providers have contracts that outline not only their obligations but the limitations they must adhere to.
- For marketers, educate within your organization on the differences between explicit and implicit consent. Likely your own C-Suite may not understand those differences and the limitations on data utilization.
- Remember that customers have a short attention span and memory of what they agreed to when they signed up for a service. Don’t just inform when a change has occurred but put reminders into ongoing campaigns.
- Privacy is personal. Just like there are different risk appetites, there are different privacy appetites. Recognize that you must think about customers from both ends of the privacy risk continuum.
- Don’t just hide the terms in the click agreement – enable privacy preferences with easy to use options. Put the consumer or data subject first.
Our ending privacy take-away to the attendees, was to get yourself a rubber bracelet, commonly used to promote causes, but this time your cause is the consumer or data subject. That privacy bracelet, “What Would Data Subjects Want” is your litmus test to assessing requirements, changes, or interpretation for those gray areas of privacy compliance. So, wear your privacy bracelet with pride as a constant reminder as you navigate the upcoming year of change in privacy and data protection! #WWDSW
Privacy Panel: (Moderator) Linnea Solem, President Solem Risk Partners, LLC and Advisory Board Member and Chairperson of the Shared Assessments Program Privacy Working Group; Andrew McDevitt, Sr. Privacy Analyst, Northrop Grumman; Nathan Johnson, Sr. Privacy Manager, Eli Lilley and Company; and Lisa Berry-Tayman, Sr. Manager, Cyberscout Solutions.