{"id":2288,"date":"2023-05-24T11:48:00","date_gmt":"2023-05-24T17:48:00","guid":{"rendered":"https:\/\/trustarc.com\/?post_type=resource&p=2288"},"modified":"2025-07-09T12:54:44","modified_gmt":"2025-07-09T17:54:44","slug":"does-your-company-manage-third-party-vendor-privacy-risk","status":"publish","type":"resource","link":"https:\/\/trustarc.com\/resource\/does-your-company-manage-third-party-vendor-privacy-risk\/","title":{"rendered":"How Well Does Your Company Manage Third-Party Vendor Privacy Risk?"},"content":{"rendered":"\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t\t\tArticles<\/strong>\n\t\t\t\t\t\t\t\t\t\t

How Well Does Your Company Manage Third-Party Vendor Privacy Risk?<\/h1>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\n\n\t
\n\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\"\"\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\tPaul Iagnocco<\/strong>\n\t\t\t\t\t\t\t\t\t\t\t\tHead, Customer Enablement & Principal, Data Privacy, TrustArc<\/span>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/a>\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Third-party information security risk is a massive concern for companies of all sizes. And it\u2019s not just because they\u2019re facing greater regulatory compliance demands.<\/p>\n

Failing to comply with data protection and privacy regulations can mean severe legal and financial penalties in the short term. But failing to protect customers\u2019 privacy rights can trigger even bigger financial issues in the long term when customer trust and loyalty are lost.<\/p>\n

So your organization needs to be hyper-vigilant about ensuring third-party vendors protect the privacy of your customers\u2019 personal information \u2013 as if those customers were their own. Because if you lose customers, so do they.<\/p>\n

Privacy is one of the biggest factors in third-party vendor risk<\/h2>\n

In a recent episode of the EM360 podcast titled Effectively Managing Third-Party Risk<\/a> I was asked if privacy is one of the biggest challenges companies face in the third-party risk landscape. The answer is yes, of course.<\/p>\n

But it\u2019s not a simple answer, because there is a lot of confusion about the current state of privacy and a lot of uncertainty about the future state of privacy \u2013 all of which has great implications for effectively managing third-party risk.<\/p>\n

Many companies tend to be reactionary to risk. So this can mean there isn\u2019t a consistent approach to managing third-party vendor risk: some are more cybersecurity focused, and others are more privacy focused.<\/p>\n

Previously, information security teams typically took the lead in assessment and management of vendor risks related to data protection, but now the explosion of the Internet of Things makes data privacy equally important, and privacy teams need to have a seat at the table.<\/p>\n

Procurement teams will need to reach agreements with cybersecurity and privacy teams on their desired outcomes when selecting and managing vendors. It might not be easy, but it will be even more challenging if clear risk principles and guidelines aren\u2019t established internally first.<\/p>\n

I believe the assessment and management of third-party risk should be a shared approach between the privacy office and cybersecurity.<\/p>\n

Given the prevalence of data sharing across any organization, this approach will help ensure you have company-wide clarity on both data privacy and cybersecurity risks. And then you can set expectations and standards for any third parties who may collect or have access to your customers\u2019 personal data.<\/p>\n

Which approach do you use to identify and assess third-party risks?<\/h2>\n

We see various ways privacy and security risk assessments of third-party vendors are administered among the organizations TrustArc meets. Though they usually fit into one of the following approaches:<\/p>\n

    \n
  1. Low-tech assessment \u2013 administered using spreadsheets.<\/li>\n
  2. High-tech assessment \u2013 administered within a software platform.<\/li>\n<\/ol>\n

    We used to encounter some organizations with no approach to assessing third-party risks because they didn\u2019t know how or where to begin \u2013 or they didn\u2019t see the need \u2013 but these cases are now rare thanks to recent enforcements of privacy regulations, particularly from California<\/a>.<\/p>\n

    Pros and cons of low-tech third-party risk assessments using spreadsheets<\/h3>\n

    Pros:<\/strong><\/p>\n