After The Ink Dries: Monitoring Third Parties You Share Personal Information with Beyond Due Diligence

Third-party vendor management extends far beyond the initial signing of your contract. It’s an ongoing process that involves getting your own house in order and maintaining oversight of theirs.  

Internal Steps to Manage Third-Party Data Risk 

Third party data risk management is not just a matter of overseeing the operations of your vendors. It involves careful consideration of your internal operations, too.  

Here are some items you need to consider internally to effectively manage your third-party data risk:  

• Develop and maintain a comprehensive risk assessment framework. This should contemplate and document your risk appetite and outline events that would trigger a termination of your contracts, amongst other things.  
• Document and review what impact any disruption to your third parties would have on your organisation and, again, consider this in the context of your risk appetite. You may wish to update your vendor requirements based on the potential impact their being disrupted would have on your operations.  
• Review your purpose for collecting the personal information you share and decide whether you still need to collect that data. If not, you should stop collecting this data and consider whether you should delete it internally and/or request your vendors do the same.  
• Review their purpose for collecting and storing personal information and decide whether that aligns with your purposes. If not, strongly consider whether you should be sharing that information with them. There is an elevated risk that you won’t have consent for that, unless you previously considered this situation and included it in your privacy disclosures.  
• Promote a culture of risk awareness. Your team is your first line of defence against third-party privacy risks. They should be trained to recognise and report these risks at the earliest possible stage.  

External Steps: Monitoring Third Party Data Sharing Throughout the Relationship 

Vendor risk management is not a set-it-and-forget-it item. It’s an ongoing process. Here are some steps you should regularly take to manage your third-party data and privacy risk: (The cadence should vary depending on the risk profile of the third party) 

Compliance & Change Questionnaires 

We encourage organisations to require third parties to regularly send responses to compliance and change questionnaires. These questionnaires evaluate and assess third parties, and their compliance with your contractual requirements. They should be easily comparable to earlier responses, so any changes are simple to identify. In fact, this process should ideally be automated – with a system that flags any changes or inconsistencies.  

Regular Communication 

Relationships really are key in your dealings with third parties. You should encourage open lines of communication, transparent dealings, and information sharing in all your key vendor relationships. While contracts should play a role in this (and they should require disclosure of certain key information, including security incidents), it’s a good idea to develop relationships beyond your contracts. You might, for example, share information about changes to compliance requirements or schedule regular syncs to check in.  

Performance Metrics 

Your contracts might outline performance metrics reporting at certain intervals (monthly or quarterly are the most common frequencies). 

Common performance metrics for third-party vendors include:   

• Data deletion rate – what data has been deleted this month/quarter?  
• Response times for security incidents. 
• Number of ‘close calls’.  
• Patch management compliance. 
• Adherence to contractual obligations.  

What If the Third Party Mishandles Data You Share with It? 

We previously wrote about what to do if a third party mishandles data your organisation shared with it. You can read that post for more information.  

Alternatively, reach out. Our privacy team would be happy to work with you.