This blog post was written in collaboration between Venminder and Osano, who is a data privacy company dedicated to simplifying privacy compliance.
In the past few years, data privacy has risen to the forefront as a key issue for regulators, organizations, and consumers. Data must always be collected, processed, and stored safely, even when it’s in the hands of a third-party vendor. In fact, many privacy regulations require organizations to complete due diligence on their third parties to ensure the protection of their customers’ data.
Privacy professionals are navigating an ever-changing landscape, so it’s more important than ever that organizations and their third parties maintain compliance with data privacy laws across the U.S. and around the globe. However, assessing and managing third-party privacy risk can be challenging, particularly with small or limited third-party/vendor risk management (VRM) teams.
Here’s how third-party privacy scores can help organizations mitigate privacy risks and best practices to implement them into your third-party/vendor risk management program.
What Are Third-Party Privacy Scores?
Third-party privacy scores are available through some software as a service (SaaS) providers and offer insight into a third party’s privacy practices and their privacy risk. These scores are calculated by assessing different privacy components, such as privacy policies, security statements, and the vendor’s transparency about its practices. For instance, is the third party transparent about their process for collecting information? Does the third party advise users on how to exercise privacy rights? What type of information does the third party share regarding its compliance efforts? These practices can impact a third-party vendor’s privacy score.
Once scores are calculated, organizations can use them to identify which third-party vendors pose higher privacy risk. Teams can also monitor scores for any changes so organizations can perform additional vendor reviews, as needed.
5 Ways Third-Party Privacy Scores Help Manage Risks
Organizations can rely on these scores for deeper insight into vendor privacy risks, which supports better decision-making in their third-party vendor relationships.
Third-party privacy scores help organizations identify and manage risks by:
- Outlining their data footprint – Many organizations don’t understand the full extent of the data they have and who has access to it. As a result, it can be difficult to manage third-party privacy risks. Third-party privacy scores can help organizations manage their data mapping and know how data is shared with third parties and their subcontractors, or fourth parties.
- Identifying privacy issues – It can be challenging to identify and track privacy issues as vendor inventories grow in size and complexity. Not every vendor will have strong and compliant privacy practices, and privacy scores can help an organization identify gaps and areas of improvement across its entire vendor inventory.
- Informing due diligence – By utilizing third-party privacy scores, organizations can understand what due diligence needs to be collected on the vendor. Before sharing data with a third party, or entering a contract, organizations can review the third party’s privacy score and request due diligence validating the third party’s privacy controls. Organizations can also determine what key areas of the privacy score are most important to them, depending on their risk tolerance strategies.
- Supporting regulatory compliance – Privacy scores provide insight into the third party’s compliance efforts and offer a breakdown of the factors impacting the vendor’s score. Third parties with the highest privacy risk can be prioritized for re-assessment so organizations can ensure compliance with changing laws and regulations.
- Monitoring changes – Third-party privacy scores can help your organization continuously monitor third-party privacy risks. For example, the score can highlight any new or ongoing litigation, such as privacy regulatory violations that turned into lawsuits or consumer lawsuits against the third party’s privacy practices. This may reveal that the third-party vendor has weak data privacy practices and insufficient compliance efforts. Depending on your contract terms, a drop in a privacy score might initiate more frequent monitoring, additional review, or even termination.
What to Do if a Third Party Has a Poor Privacy Score
While a privacy score tool can be extremely useful, it’s important to understand what to do with the information. If a vendor receives a poor privacy score, it could indicate a number of issues to address before signing the contract or continuing the relationship. Maybe a vendor hasn’t shared enough detail on its privacy practices, so it failed to meet disclosure requirements, or maybe the vendor has scattered information on its website, making it challenging to fully understand its privacy practices.
Whatever the reason, here are 4 steps to take when a third party receives a poor privacy score:
- Review the third party’s risk and access – As a first step, your organization should understand what data the vendor will need access to. If the third party is handling more sensitive data or provides critical services, your organization will want to review the score in more detail. However, if the vendor doesn’t have access to sensitive data, the risk may not be as high.
- Understand the privacy score – Your organization should review the third party’s score in more detail. Maybe they neglected to provide key information about their practices, or the third party scored low on privacy compliance. Understanding the details of the score can help your organization determine the next steps with the third party.
- Request documentation – Depending on the third party’s privacy score, your organization can request more documentation to review the third party's practices and controls in more detail. This may include looking at the third party’s privacy policy, cookie policy, and awareness and training. Documentation related to consent management, incident response plans, and data processing activities may also need to be reviewed.
- Evaluate the relationship – If the third party is unwilling to provide more detail into its privacy practices or has a poor score with no plans on remediation, it may be time to re-evaluate the relationship. This can mean either choosing another vendor during onboarding or following your exit strategy to end the relationship.
By implementing and utilizing third-party privacy scores, your organization can establish a more successful third-party/vendor risk management program. Understanding your third party’s privacy risk helps your organization make informed decisions and ensures data is protected. A third-party privacy score tool can also relieve some of the burden of identifying and tracking evolving privacy risks.