Controlling Third-Party Data

Data control and privacy laws are on the rise. With recent legistlations such as the CCPA, Biometric Information Privacy Act, EU GDPR, and new ESI related acts on the way it has become a necessity to keep information governance and data control in frequent conversation.

Third-party data is defined as any data collected from variety of sources by a company with no direct connection to the consumer whose data is collected. Third party data sources may include but is not limited to websites, social media networks, surveys, and subscriptions.

A common oversight is for corporations to avoid evaluating how third party companies are using their companies organizational data. According to a survey conducted by IBM “78 percent of U.S. respondents say a company’s ability to keep their data private is “extremely important” and only 20 percent “completely trust” organizations they interact with to maintain the privacy of their data.”

Key Assessment Components

  • Map Out Data Landscape – Identify what third party companies your company work with. Until you have a concise picture of all the various types of data third party vendors collect you cannot move forward to identify the specific data that is relevant and at risk.
  • Define Data – Identify the specific data relevant to your company as well as where organizational data is stored. This includes employee devices, on premise hardware, in the cloud, etc.
  • Explore All Avenues – What specific data do they touch and in what capacity? What is there relation to that data? Is it a necessity that they have access to this data? The more questions you ask the closer you will get to where your data may be vulnerable.
  • Prepare – Which of your companies data is relevant to regulations and audits? There are a handful of new data privacy laws in place and breach notification laws. Become informed and prepared to handle these incidents if they arise.
  • Individual Vendor Risk Assessments – How are they protecting your companies data? Does it line up with both company and industry standards? Just as you evaluate your own companies organizational data to identify the risk you need to evaluate your vendors processes the same.