Third-party risk management is one of the biggest areas of non-compliance risk. Nearly two-thirds of compliance executives believe third parties pose the greatest risk, regardless of industry, company size or level of compliance compliance.

At the same time, several significant and multifaceted challenges are emerging with U.S. and global privacy laws. These include the complexity of third-party ecosystems, evolving regulations and data privacy. While these are significant challenges, they also present opportunities to uncover blind spots in business programs.

Being proactive in enterprise risk management is essential, particularly with respect to third parties. Often, data providers and brokers are leveraged across an entire organization. It is therefore essential to bring together Third Party Risk Management (TPRM) processes and programs, to ensure they are all consistent and coordinated. To assess the level of risk and uncover potential gaps, compliance and privacy officers should collaborate to determine how often they monitor third parties, what information they collect from and about their partners and vendors, and whether their risk management practices have been diminished due to cost and resource constraints.

Best practices in TPRM

There are many essential fundamentals in TPRM. These include:

1. Due diligence: Thoroughly vet vendors to understand their data management posture and practices.
2. Regulatory Compliance: Ensure alignment with relevant laws and regulations with particular emphasis on data privacy obligations.
3. Security measures: evaluate frameworks that protect sensitive information (IP, personal, sensitive, etc.).
4. Incident response planning: Common strategies for responding to data breaches and other incidents.
5. Contract management: specific terms and agreements that define risk management responsibilities with clarity and accountability.
6. Financial stability: Monitor the financial health of third parties to avoid business disruption.
7. Cultural alignment: assessment of ethical standards and practices to ensure compatibility.

The intersection of TPRM and privacy

Digital advertising technology, or adtech, facilitates free Internet and relevant connections between consumers and businesses. This also presents a series of data privacy risks. In this ecosystem, most companies do not have in-house adtech solutions, meaning they rely on third parties and the digital advertising industry to perform this function on their behalf. These partners can provide businesses with data on web traffic, website visitors, the number of people viewing a product, the effectiveness of a website’s language, and other marketing-related information. All of this is used to aggregate online behavior and make inferences about user preferences to create a profile that serves targeted ads.

Although adtech has facilitated a rapidly growing and largely dependent industry, concerns remain about what data is collected and where it might conflict with privacy protections or requirements. Given the ubiquity of adtech across businesses and industries, its use must now be considered within the broader TPRM agenda.

This is complicated, however, because many adtech offerings are not deployed through individual service agreements between the company and the specific adtech provider. Rather, there are many potential third parties within a large and complex ecosystem, some of which an organization may need to learn about due to the myriad functions performed by different vendors. Additionally, data can be shared across vendors, blurring the already murky lines around each company’s unique data privacy obligations.

So how is this new paradigm approached? Businesses can apply the fundamentals of TPRM to the use of ad tech, relying on existing laws as a guide and foundation. For example, the use of advertising technologies has long been enforced by European regulators via the GDPR. Organizations that already have GDPR programs and policies in place can reference those in the TPRM program when evaluating ad technology usage and vendors. Dozens of lawsuits have been filed in the United States against the use of ad technologies, relying on existing laws containing data privacy provisions. Again, the learnings from these cases and the requirements of the laws behind them can serve as resources to guide TPRM assessments of an organization’s adtech partners.

The cross-context behavioral advertising rule under the California Privacy Rights Act presents a new standard, in which risk and liability are transferred to a third party, thereby removing safe harbor protections that were previously granted to service providers. Platforms offering digital advertising have already announced that, because they will now be considered third parties, they will no longer offer products that carry targeted advertising in California.

Regulatory changes create opportunities

Regulations will continue to evolve, presenting a moving target for many businesses, as well as opportunities for direction. Although organizations will continue to need to collect digital data to understand and reach their customers, traditional principles can be applied to the one-to-many third-party environment. By developing a framework based on real risk (i.e. what the risk is, where it is, and how it is controlled), organizations can balance respecting data privacy with participation to targeted advertising.

Additionally, an expanded set of TPRM principles, which specifically address privacy, can be incorporated into an organization’s program. These include:

1. Risk Identification and Assessment: Continuous assessment and prioritization of risks based on third-party access and data sensitivity.
2. Data protection standards: ensure suppliers comply with applicable privacy standards and frameworks.
3. Privacy by Design: Requires the integration of privacy into product development, customer outreach, marketing activities and related processes.
4. Access control and monitoring: strict controls to prevent unauthorized access or disclosure of personal information.
5. Incident management and response: Clear protocols to quickly and thoroughly address data breaches and privacy violations.
6. Transparency and accountability: require data protection commitments from partners as a prerequisite.
7. Privacy due diligence and ongoing monitoring: Thorough vendor assessment prior to onboarding and periodically throughout the partnership.
8. Contractual protections: specific data protection clauses, detailing responsibilities, rights and remedies.

Effective TPRM means that data is viewed differently. There is an additional layer requiring management and response for data privacy. The landscape is complex, but if organizations are proactive and review their obligations as soon as they are published, there will be less risk of missteps.

Chris Zohlen is a Managing Director at FTI Technology and a senior member of the Information Governance, Privacy and Security practice. He has over 15 years of experience in information governance and legal technology, helping legal, records, privacy, IT and information security departments identify, develop, evaluate and implement internal e-discovery, privacy and data governance processes and programs.

Jonathan Prewitt is a Senior Director at FTI Technology in the Risk and Compliance practice. He supports his clients in their governance, risk and compliance projects as well as in the selection of technologies. He has over 20 years of experience in risk management, which began with intelligence collection, analysis and production as a cryptologist in the United States Navy.

This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, chief information security officers, chief information officers, chief technology officers, general counsel professionals, Internet and technology practitioners and corporate legal advisors. Visit the website to learn more.