Other parts of this series:
This series explores the impacts of data privacy laws on procurement professionals and the proper management of third-party data privacy requirements in the new world. This first blog addresses data collection and contract remediation.
Where is third-party data management today?
In our constantly evolving business environment, companies are hard pressed to resolve disruptions while trying to connect more closely with their ecosystem of customers, business alliances and vendors to deliver “best-in-class” products and services.
Complicating matters, the risk landscape has changed dramatically, and the outbreak of the pandemic is accelerating such disruptions. Downstream impacts have permeated organizations around the globe and across industries. Existing business operating models are further exposed to cyber and security risks as workforces have transitioned to remote working environments. New and emerging technologies have risen to become a new type of third-party supplier. According to Accenture’s Third Annual State of Cyber Resilience Report, organizations face 22 security breaches per year on average, and the total average cost per attack is $380,000 per incident.1
As a result of increasing market and regulatory pressures and escalating data breaches, third-party risk management (TPRM) is top of mind for Chief Procurement Officers (CPOs), Chief Operating Officers (COOs), Chief Financial Officers (CFOs), Chief Information Officers (CIOs), Chief Technology Officers (CTOs) and other executive client sponsors. According to Accenture’s Technology Vision 2019, “…only 29 percent of business and IT executives report that they know that their ecosystem partners are working diligently … to be compliant and resilient with regard to security.”2
With data privacy regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) taking effect, procurement leaders need to know how their vendors collect and share personal data, understand data privacy risks in their supply chain, thoroughly vet vendors’ data processing practices and renegotiate contract terms if needed. All of which requires clear knowledge of what is in their agreements in order to avoid slowing down the business.
What this means?
According to the “A New Roadmap for Third Party IoT Risk Management”5 benchmark study conducted by the Ponemon Institute in 2020, nearly 90 percent of respondents expect their organization to experience a data breach or cyberattack caused by unsecure Internet of things (IoT) devices or applications in the next two years. This certainly points to the growing importance of managing data privacy within third-party risk management and supply chain.
To comply with new data privacy regulations, procurement and third-party risk managers should make sure third-party vendors can properly manage privacy commitments pertaining to the collection of consumer/personal information. A programmatic and consistent methodology is key to assessing the prospective vendor relationship. This includes an assessment of third-parties’ exposure and applicability to GDPR/CCPA, to identify in-scope Personal Information (PI) elements and to evaluate their current state data collection processes. The assessment should also include the following actions:
- Conduct proper due diligence when appraising the vendor to include a review of new policies, procedures and processes around data maintenance, data classification and data repository that are in accordance with privacy requirements.
- Appropriately tag data at collection points and as it transfers from structured to unstructured sources. Companies need to understand the types of data being sent to third-parties and maintain adequate tracking of the data throughout the lifecycle of the contract.
- Compile a centralized and risk-tiered vendor inventory, inclusive of subcontractors and affiliates, and providing comprehensive visibility into the business criticality and concentration of vendor relationships. This is key to prioritizing vendors that have potential exposure to data privacy issues.
- Obtain data maps that document a vendor’s collection, sale and disclosure of PI and understand the points of collection:
- Collect directly from customers;
- Receive PI from other parties and subcontractors; and
- Passively collect through cookies, server logs, and other online tracking technologies that collect PI automatically.
To meet their strategic growth visions and objectives, companies have been increasingly integrating within their infrastructure their core business functionalities with vendors’ functionalities. The interconnected nature of this evolved ecosystem introduces new liability and threats if contractual agreements do not contain the proper clauses to manage resultant risks. Conducting a proper assessment of existing contracts that is commensurate to the size and complexity of the company is not an easy undertaking. Companies should consider leveraging the power of artificial intelligence (AI) to identify opportunities to unlock value—driving operational efficiency, improving process quality and controls, reducing risks by removing resource dependencies, and facilitating scale. Initiating a vendor contract review should include the following considerations:
- Understand if and how data is to be shared with vendors for business purposes.
- Establish an inventory of impacted third-party contractual agreements.
- Begin remediation of impacted contracts with impacted vendors.
- Include proper contractual clauses pertaining to data privacy and security, maintain compliance and provide due diligence for new contracts going forward.
In our next blog we will discuss the impacts of data privacy laws in relation to data management and data deletion. To learn more on the topic, please contact the authors. To find out more on how to prepare your organization to tackle the challenges of vendor data compliance, please register and join us for an informative DocuSign and Accenture webinar on September 17, 2020.
- “Third Annual State of Cyber Resilience Report,” Accenture, 2020. Access at: https://www.accenture.com/_acnmedia/PDF-116/Accenture-Cybersecurity-Report-2020.pdf#zoom=40
- “Accenture Technology Vision 2019,” Accenture, February 6, 2019. Access at: https://www.accenture.com/t20190201T224653Z__w__/us-en/_acnmedia/PDF-94/Accenture-TechVision-2019-Tech-Trends-Report.pdf#zoom=50
- “EU data protection rules,” European Commission. Access at: https://ec.europa.eu/info/law/law-topic/data-protection/eu-data-protection-rules_en.
- “The California Consumer Privacy Act of 2018,” California Legislative Information, July 27, 2020. Access at: https://leginfo.legislature.ca.gov/faces/billCompareClient.xhtml?bill_id=201720180AB375&showamends=false
- “A New Roadmap for Third Party IoT Risk Management,” SFG Shared Assessments, June 3, 2020. Access at: https://sharedassessments.org/blog/a-new-roadmap-for-third-party-iot-risk-management/