All businesses must adopt an always-on approach to managing privacy risk because regulators won’t accept ‘one-and-done’ audits of an organization’s privacy program.
Now they expect to see up-to-date records of how privacy risk is managed day-to-day across the organization, as well as reports on third-party privacy risks.
This shift in expectations began when the EU General Data Protection Regulation (GDPR) became enforceable in May 2018, followed in the US by the introduction of the California Consumer Privacy Act (CCPA) in September 2018, which became effective on January 1, 2020.
Since then, as more privacy laws are introduced and enforced in the United States, most US businesses have had to scramble to keep their data protection policies and processes up to date.
Data protection is now as much about privacy as cybersecurity. This shift means:
- Senior leaders will need to ensure privacy and security are equally prioritized across the organization – a change in business culture is a must.
- Leaders need to model and invest in privacy best practices.
- Organizations need well-resourced privacy programs – given most businesses can’t afford to do it all in-house, they can significantly improve their privacy programs by investing in privacy software and services.
Third-Party Risk Assessment Processes Must Prioritize Privacy
This change in emphasis – elevating privacy as a key concern – means vendor risk assessments must change too.
I explained why this change must happen in a recent EM360 podcast titled “Effectively Managing Third-Party Risk”: no matter what industry you are in, the size of your organization, or the maturity of your privacy program, conducting routine vendor risk assessments is a recognized best practice in data privacy management.
Some organizations choose to run their privacy programs lean. To save some upfront costs, they rely on traditional Q&A or checkbox spreadsheets when conducting privacy risk assessments of third-party vendors. But there are better approaches that are more efficient, accurate, and effective.
I’ve outlined the pros and cons of managing third-party risk assessments using spreadsheets versus specialized software in another article: How Well Does Your Company Manage Third-Party Vendor Privacy Risk?
The short answer is that vendor management solutions (VMS) can help your organization capture, analyze and report better data about third parties, from due diligence to risk assessment processes and contract reviews. Some VMSes offer automated reporting to help you update contract requirements over time, including flagging privacy risks.
As there are so many VMS options available, I recommend creating a checklist of your organization’s requirements, including features that will help you assess vendor privacy and cybersecurity risks.
Vendor Management Solutions (VMS) Checklist
I recommend your organization reviews a least 4-5 providers of software and solutions in vendor management and privacy/security. Below are some important questions for your team:
Have you agreed on risk posture and vendor KPIs?
Before you review any vendors, make sure your procurement, cybersecurity, and privacy teams agree on your organization’s risk posture and set security and privacy KPIs for the solutions you’ll consider.
Next, consider the user experience:
Is the VMS intuitive?
The interface and toolsets must be user-friendly otherwise you risk not capturing key data during assessments at the front end, or useful insights for managing contracts down the track. I recommend ensuring it supports secure direct access by relevant employees.
Is it easy to administrate?
Decide if you need a VMS that supports cross-functional approvals and consider other features that improve efficient administration. For example, does it have a common ability to publish an assessment for cybersecurity and privacy?
Also, consider whether the VMS needs to integrate with other solutions, such as contract life-cycle management tools.
Does it streamline reporting?
Look for features that support your ongoing reporting needs, from the upfront assessment of vendor risk to contract reviews.
For example, some VMS automate workflow and scoring to improve decision-making at every stage. Look for features that improve insights: does it automatically generate insight reports? Will it alert you to gaps in compliance or attestations?
And finally: when issues are identified, will it provide you specific guidance on what is necessary to achieve compliance?
What support is available?
Review the level of software support offered end-to-end. Start with questions about the onboarding and implementation process. And are there extra costs for each user?
Then ask about the level of ongoing support: some VMS providers include support in the purchase price, others make it free (generally with self-service support tools), while some charge an annual support subscription. Moreover, make sure you understand the duration of such support. Is it for the duration of the license agreement or good for only the first 90 days?
Finally, ask about the frequency of software updates and how they’re managed, including shared technology roadmaps.
What is the total cost of ownership?
Further to my points above, too often I hear of businesses not knowing the variety or scale of potential ongoing fees when choosing software. Extra fees for software support or adding users can add up quickly. And don’t be mesmerized by ‘shiny’ things your organization doesn’t really need.
Many supposed enhancements in vendor management solutions aren’t needed for assessing privacy and security compliance.
How qualified is the VMS provider?
Bear in mind the lowest-priced VMS might not be the best deal. The real value of a vendor management solution is built on the experience and expertise of the provider. Therefore, it’s worth considering:
- Is the VMS provider a pioneer in privacy or recent to the industry?
- Does the provider have privacy and/or security experts on staff?
TrustArc’s Assessment Manager Is Powered by Our Privacy Expertise
TrustArc is a pioneer in privacy: we’ve been solving privacy and data governance challenges for our clients since 1997, when we were known as TRUSTe.
We changed the company name to TrustArc in 2015 to reflect our expanded offerings, including unmatched privacy expertise, technology, and certifications – and we remain the only provider to offer all three.
Alongside our high-quality certification and assurance services, we have earned a strong reputation for the deep expertise of our team. Many of our consultants have served as privacy or data security leads with Fortune 500 companies, and we strengthened our privacy thought leadership in 2019 when we acquired Nymity, as well as, the pioneer that developed Nymity’s Privacy Management Activities Framework.
TrustArc’s Assessment Manager is our core solution for vendor management, offering:
- Powerful technology to ensure vendors that may process personal information on behalf of your organization are accurately assessed against your privacy and security expectations.
- Intuitive templates (custom or out-of-the-box) to capture vendor responses and support efficient review by anyone in your organization.
- Conditional answer-based logic built-in, so vendors only need to complete relevant questions.
- Automated approval workflows and notifications – if a specific answer needs a specific action, such as prior approval, Assessment Manager will create a specific action and flag it. For example, an assessment question about privacy will be emailed to a privacy lead.
- Automated identification of gaps – if a vendor hasn’t (or can’t) address any organizational expectation during the assessment, it automatically flags the gaps and generates an action item, with specific guidance for even the most novice people working in the privacy or security office.
