Overview

It has become commonplace in today’s business world to use third-party vendors for certain tasks that would prove too difficult, time-consuming or resource-demanding to carry out in-house. However, this need for efficiency must be balanced with the need for the organization that hires the vendor to maintain its own privacy. This article will detail the interplay between vendor management and privacy compliance regarding information security and will explore different angles to consider.

Strategy

The best way to maintain control over third-party vendors and organizational data privacy is to use a two-pronged strategy consisting of effective contract negotiation and due diligence.

Contract Negotiation

Control of Organization Data

When it comes to organization data, there is no denying that the data is the exclusive property of the organization. There is also no denying that when a third-party vendor works with an organization, they will most likely be exposed to at least some of the organization’s data.

A well-negotiated contract will set out in clear terms that the control of organizational data, including ownership, lies with the organization. The third-party vendor must respect this fact and deliver to the organization any of the organization’s data within its possession at the organization’s request. This extends to data destruction as well. Additionally, a well-negotiated contract will state that third-party vendors also shall not assert any lien against organizational data as long as this is included in the contract.

Privacy

Data privacy is a smart contract clause for an organization to negotiate and is commonly included in well-negotiated third-party vendor contracts. A good baseline data privacy clause should include the following:

  1. Organizational data shall be used by the third-party vendor to the extent necessary to perform the responsibilities of the contract
  2. Organizational data shall not be disclosed to third parties without prior express written content from the organization
  3. The third party shall provide information security to protect organizational data from unauthorized use or disclosure
  4. Upon the organization’s request, the third party shall provide the organization with reportable information regarding information security measures and any failure or breach of the third party’s information-security measures

Compliance with Privacy Policies and Regulations

What also needs to be addressed is compliance with organizational policies and regulations. A well-negotiated contract will include language which states that the third-party’s collection, use and disclosure of the data of the organization will be in full compliance with the organization’s then-applicable data privacy policies and with all applicable data privacy and protection laws. Contractual clauses like this will be helpful when an organization is subject to regulations such as HIPAA.

Security and Protection

Well-negotiated contracts will also take into consideration the security and protection of the organization’s data when it is in the custody of a third-party vendor. Effective contracts will include language requiring that the third party maintain adequate, commercially-available data security procedures, facility procedures, safety procedures and other safeguards against destruction, alteration and disclosure of the organization’s data. Operationally, clauses similar to this will serve as documentation of the legal responsibility of the third party regarding ongoing information security of the organization’s data.

Ethical Hacking Training – Resources (InfoSec)

Due Diligence

Aside from effective contract negotiation, due diligence will also be required to ensure effective third-party vendor management and privacy compliance. Below are some key issues to take into consideration.

Internal Privacy Audit

Organizations should conduct regular internal privacy audits of all data processing activities within the responsibilities of the third-party. This will give the organization a thorough understanding of the scope and depth of the third party’s responsibilities, if they do not already have such an understanding.

Risk Identification

Organizations should take steps to identify foreseeable internal and external data privacy risks. These risks should include security, integrity and confidentiality of organization data against unauthorized use, disclosure, destruction and alteration of said data. There should also be an internal assessment of safeguards currently in place to control these risks.

Third-Party Information Security Experience Audit

There should also be auditing designed to assess the third party’s experience with privacy and data security, as well as to assess the experience of any subcontractors involved. Organizations will want to assess the third party’s (and subcontractor’s, if any) information security and privacy policies, the methods and means used by the third party to protect data, and any previous complaints and investigations against the third party regarding client data.

Internal Data Audit

Organizations should conduct internal data audits of the data to be used by third-party vendors in order to maintain the most thorough understanding of the data that will be used.

Contract Review

Due diligence requires organizations to conduct a review of all third-party vendor contracts to ensure that the vendor has control procedures in place to ensure sufficient compliance with the organization’s internal privacy and information-security policies.

Regulation Review

Lastly, it would be a good idea from a due-diligence perspective for organizations to review applicable regulations in place, such as HIPAA, to ensure that compliance with the regulations is enough to ensure adequate privacy compliance. In situations where mere compliance is not enough, additional data-privacy safeguards should be used by the organization to complete the tightening of their data-privacy policies and procedures.

Sources

Vendor Management: A Critical Component of Privacy Compliance, Privacy Advisor