Background to current privacy challenges
Organisations that collect and process personal information are faced with increasing Privacy compliance challenges, especially where their operations span multiple geographic regions. This, paired with a growing reliance on external service providers to support core business operations, creates complex Privacy compliance challenges. Some Privacy models are more comprehensive than others, leaving these organisations with the daunting task of understanding which compliance requirements are more stringent and which should be adhered to.
In addition to the various privacy models worldwide, there are changes to Privacy law that should be understood because of its global impact. Specifically, The General Data Protection Regulation (GDPR), agreed upon by the European Parliament and Council in December 2016. GDPR is set to replace the Data Protection Directive 95/46/ec in May 2018. This will impose new, more stringent, Privacy compliance requirements and impact organisations’ operations on a global level. For example, under the revised GDPR compliance requirements, any organisation that processes European Union Citizen’s personal information will be subject to the provisions of GDPR, regardless of where the organisation operates.
South Africa has also seen significant development around Privacy regulation – specifically the passing of the Protection of Personal Information Act (POPIA) and the establishment of the Information Protection Regulator that is underway. POPIA is largely based on GDPR requirements, however it is important to note that POPIA is currently the only Privacy legislation that defines “data subjects” to include natural and juristic persons. Therefore, organisations operating in South Africa must consider protection efforts for sensitive information that relates to them as an entity as well as their vendors and customers that are juristic entities.
COMPARING GDPR AND POPIA
When comparing GDPR and POPIA it is clear that both, with very similar requirements, set out clear responsibilities for organisations that collect and own the personal information processing (“Data Controllers”) as well as the parties that process such information on their behalf (“Processors”/”Operators”). Processors can be employees of the controlling organisation or contracted third parties. For the purpose of this article, we refer to third parties.
Given the comprehensive Privacy requirements, it is important to understand that Data Controllers remain ultimately liable for data protection and therefore cannot outsource accountability to Processors. However, the Processors will now have to adopt controls that ensure adequate protection of the personal information they process on behalf of the Controllers. This puts the onus on Controllers to implement structured Third Party Management Strategies that enable effective monitoring and control.
PRIVACY AND THIRD PARTY MANAGEMENT
THIRD PARTY RISK MANAGEMENT A KEY GLOBAL PRIVACY COMPLIANCE REQUIREMENT.
Over and above compliance with Privacy requirements, appropriate Third Party Risk Management supports good corporate governance; and in some industries is required as part of mandatory due diligence practices. Therefore, it becomes important and appealing to implement and maintain comprehensive Third Party Risk Management Strategies, regardless of an organisation’s size or industry. Third Party Management Strategies yield various benefits when they are effective, including, operational cost savings, process efficiencies, improved governance procedures, streamlined vendor management and a reduction in risks associated with outsourced information processing.
Key considerations for a Data Controllers that outsources some or all of its personal information processing to a third party, to align with global Privacy requirements:
- It is a requirement, and good practice, to conduct an impact assessment of all planned information processing that is deemed a “high privacy” risk. The results of impact assessments inform the appropriate technical and organisational controls that must be implemented to ensure secure and fair processing.
- When selecting Processors to conduct personal information processing on its behalf, Controllers should identify and select those that are in a position to evidence their ability to adequately secure the personal information planned for transfer and processing.
- To identify appropriate Processors, Controllers should conduct an information gathering exercise, based on the impact assessment results, to identify appropriate third parties, i.e. third parties that can evidence appropriate privacy controls.
- Once a Processor is selected, the relationship, associated roles and responsibilities must be documented as part of a formal contractual agreement. This agreement should set out the minimum legal requirements and expected controls to facilitate secure and fair processing.
- Controllers are required to keep a consistent view on their processors’ information handling and security practices. This is usually done through privacy and security assessments. The depth of these assessments is based on the level of risk posed by the Processor as well as the sensitivity of personal information being processed on the Controller’s behalf. This process is important to be able to verify any changes in the risks posed to the Controller over time and to appropriately remediate.
The extent of mandatory third party management activities that Controllers have to put in place may make it difficult to manage and monitor consistently. Often, different functions within one organisation take on some Third Party Risk Management tasks in isolation or to some extent aligned with other functions. This means the overall approach is very likely to be inconsistent, not maintained in single repositories and therefore ineffective. A further impact is that vendors may be approached more than once for the same verification process, leading to confusion and even negatively impacting the relationship with the third party.
Triplicity has been designed to facilitate the overall process by offering a single tool for Third Party Risk Management. From third party profiling, risk assessment and managing of remedial controls, Triplicity offers a single tool to facilitate the Third Party Risk Management process and remediation.
If you are in the process of addressing your organisation’s privacy compliance requirements, effective Third Party Risk Management is a key compliance competence that requires a practical and scalable solution. Our team assists our clients in understanding and defining a pragmatic approach, paired with Triplicity to manage the risk.
THIRD PARTY RISK MANAGEMENT A KEY GLOBAL PRIVACY COMPLIANCE REQUIREMENT
Third Party Risk Management Software Triplicity | Third Party Risk Management Silver Lining | Manage Third Party Vendors | Automate Third Party Risk Management | Contact Triplicity Third Party Risk Management Team |