Other parts of this series:
In the previous blog of this series, we explored the impacts of data privacy laws and actions organizations can take to enhance their data collection and contract remediation capabilities. In this final blog, we extend our discussion to data management and data deletion actions enterprises can take to respond to the data privacy challenge.
Procurement professionals and third-party risk managers should build in ongoing monitoring of data privacy compliance as part of their third-party risk management and procurement programs. Monitoring how vendors comply with new privacy requirements should include the following actions:
- Establish proper controls around vendor adherence to data privacy requirements and monitor vendor performance based on the business criticality of the vendor relationship.
- Maintain and update vendor inventory based on ongoing monitoring evaluations.
- Modify contractual provisions as needed, replace/terminate vendor relationships based on monitoring results or incidents.
- Develop, test and update incident response plans so they are ready to execute when needed.
- Establish an enterprise-wide and role-based training program with a privacy focus to train procurement professionals and third-party risk managers and raise corporate awareness around data classification and data management.
- Timely inform board and risk committees on exposure and program health against industry and regulatory requirements.
- Employ analytics and automation tools to drive decision-making.
- Monitor and communicate regulatory changes to the company’s Privacy Office.
- Put in place controls to monitor complaints to consumer protection agencies and the attorney general.
Should a customer submit a verifiable request to an organization to delete personal information, the organization should also direct any vendors to delete the data from their records. Proper deletion of data in adherence to new privacy requirements should include the following:
- Understand data deletion requirements and applicability of exemptions.
- Update contracts with service level agreements and proper contractual language that enforce vendors to honor deletion and access requests in a secured manner.
- Make sure data destruction is completed per contractual terms of conditions. Either destroy or return all the personal data to you, at your option, or after the processing of the data is complete, and destroy any existing copies of the personal data unless otherwise required.
- As part of quality assurance/quality control (QA/QC), companies should include periodic spot checks to assess the completion of data disposal and maintain an adequate audit trail.
In our digitized world, third parties can empower enterprises and drive their strategic objectives. However, if not properly managed, they can expose the enterprise to new risks that can lead to catastrophic economic and reputational damages.
Over the years, cyber criminals have seized on this and caused significant financial losses and reputational damages to companies by revealing/stealing private customer information for illicit purposes.1 Changing industry and regulatory landscapes, shifting operating models and an increasingly complex risk landscape have forced the Privacy function to adapt and become a more strategic function, able to anticipate challenges and take a proactive approach to meeting business advisory and control needs.
To learn more on this topic, please contact the authors. To find out more on how to prepare your organization to tackle the challenges of vendor data compliance, please register and join us for an informative DocuSign and Accenture webinar on September 17, 2020.
- “Ninth Annual Cost of Cybercrime Study,” Accenture, March 2019, Access at: https://www.accenture.com/us-en/insights/security/cost-cybercrime-study