Third Parties and Data Protection Laws

Compliance officers already understand the idea that their organizations are responsible for the misconduct a third party might commit on their behalf, so due diligence and monitoring of third parties are wise ideas and urgent priorities.

Still, most compliance functions developed that understanding in an anti-corruption context. Fitting due diligence, monitoring, and third-party oversight to data protection is quite a different exercise.

Why? Because sales agents (the common culprits in an anti-corruption lapse involving third parties) perform discreet services, that the company can interrupt with relative ease. An agent approaches specific targets with an improper payment; the transaction needs at least some person-to-person interaction, and most companies can cut ties to an agent without an immediate business calamity.

In contrast, third parties helping with your data or IT needs to perform constant services. They operate on a vast scale, helping your enterprise manage potentially millions of transactions or customer records. A cybersecurity lapse might cause widespread disruption immediately.

All that said, an organization’s liability for third parties under data protection laws (HIPAA, the GDPR in Europe, state consumer protection laws) is clear. If the third party drops the ball while working on your behalf, the ball lands on your toes.

So how does all that shape a compliance officer’s effort to build a due diligence and monitoring program for third parties in your data services supply chain?

How to Navigate Third Parties and Data

Above all, evaluate your organization’s ability to track these third parties — since a significant part of that ability probably will reside outside the compliance function.

For example, the compliance department can work with the IT department to craft strong policies that tell employees what third parties they can or cannot use. But the compliance department itself won’t have the tools to monitor IT usage and data flows to determine how well those policies are actually followed.

Another important tool in the future will be the SOC 2 audit: an audit that assesses and tests the security controls for data service providers. (“SOC” stands for “service organization controls.”) Those audits can be designed along several different principles: security, reliability, privacy, and so forth.

Again, the compliance officer can articulate what those audits should measure. You want assurance that the third party has adequate controls to prevent the risks you identify in your risk assessment.

But what controls will the audit actually test? What evidence will your organization accept as sufficient? Most compliance officers (from a legal background) will need help from your company’s audit function, and probably your IT or security function as well, to determine that.

Finding a Balance

Conceptually, the big picture is this: balance of your role will shift from monitoring the conduct of employees more toward assessing the trustworthiness of vendors — because the technology is only going to get better, so companies will use outsourced service providers more and more.

Will some employees still ignore policy and use an unproven third party? Of course. That part of the compliance officer’s job, the monitoring of internal activity, will never vanish. But a growing part of the job will be to help other parts of the enterprise govern vendors that will be conduits for data privacy and security risks.

That is, even if all your employees behave perfectly (which they won’t), poor selection or assessment of vendors can still leave your organization with risks sky high. Modern data protection laws, from HIPAA to GDPR and more, make that clear. So do modern consumer views, which make reputation risk just as big a fear as regulatory enforcement or litigation.

That reality will require compliance officers to develop a new suite of tools, alliances, and procedures to manage third-party risk. We can’t even call that reality “the future” anymore, either. It’s already here.