Privacy and how to protect it with Third-party Assurance

In today’s environment, organizations are being inundated with extensive volumes of data, driving the need to better understand the data environment amidst all threats and vulnerabilities. As it relates to data privacy, an organization that collects personal data for which they determine the purpose and means of processing is known as a Controller. When an organization processes personal data, they are known as a Processor. While an organization may act in the capacity of both a Controller and Processor, in many cases Controllers will outsource the processing of personal data to a third-party Processor. Examples of this include using a third party to perform payroll processing, statement printing, or providing cloud applications and storage.

With this level of data sharing between organizations and operating models associated with a multitude of stakeholders, complexities in such trusted relationships will continue to unfold. While this presents a timely opportunity to create value across organizations, it can also result in difficulties with identification, clear visibility, management, and communication with stakeholders.

One of the many challenges is security and privacy risks between a data subject, the Controller, and the Processor. How can a newsworthy event in the OSP “processor” environment influence a data controller’s reputation or customers? What is being done to monitor and manage these emerging privacy considerations and rulesets? Where does your organization fit within these challenges?

These questions can put stress on the ecosystem, hampering transparent communication and the flow of information to stakeholders that help them to make informed decisions.

What are some of the most effective mechanisms to monitor these relationships?

There are several approaches to address the risks related to the processes outsourced to OSPs. Each of these approaches provides the customer with its own level of “assurance”, which can be thought of as the overall comfort that can be obtained from various monitoring mechanisms. Each organization may have varying degrees of acceptable risk tolerance when it comes to the level of assurance to obtain. Some considerations in how to choose the right mechanism include:

• Objectivity and competence of the review team
• Scope of the review
• Time period
• Measurement criteria for the assessment (established guidelines vs. own developed criteria)
• The frequency of the review (regular reviews vs. ad hoc)

We explore some of the challenges and solutions associated with outsourced relationships and risk monitoring within, specifically highlighting the emerging privacy considerations.

Next steps for choosing the right report

While determining as a customer, you should consider which types of reports to go for, and similarly, as an OSP, which types of reports to plan for. Following are some questions one should ask to figure it out.

• What is the intended use of the report?
• What level of assurance is needed?
• Are there specific rulesets or frameworks that need to be addressed?
• Are there any contractual obligations to report on privacy practices based on industry standards and data held by the organization?
• Is the report intended to be used to meet the needs of one customer or many?
• Will the report cover many areas, or will it be limited in scope in regard to processes or technologies?
• Will the report need to cover a specific duration, or will a point-in-time attestation suffice?

However, before undertaking a new assurance report, a readiness review should be considered to identify potential control gaps and leave time for management to remediate them.