The Third-Party Privacy Profile enables you to:
- Create a profile record that includes relevant privacy information about your third-parties.
- Organize all the necessary information about the third-party, be it a vendor, supplier or other, in a single record, to provide the Data Protection Officer relevant third-party information, such as the contract in place, terms and conditions, data that is being shared, risk profile and more.
The information contained in the Third-Party Privacy Profile should help answer the following questions:
- What services does the third-party provide?
- How essential are these services to your organization?
- What will be the duration of the relationship with this third-party?
- What kind of data will the third-party have access to? Will the third-party store any of this data, and if so, how much?
- To which internal systems and applications will the third-party require access?
- What would the business impact be if there was a breach or the data was compromised through a third-party breach?
- Can you use the answers to these questions to assign a vendor a risk score of high, medium, or low?
Building blocks
Third-Party Privacy Profiles are composed of five major building blocks, each aimed at documenting specific information about third-parties.
|
Building block |
Description |
|---|---|
| General |
Provides basic information about the third-party, such as the type (for example, a vendor, contractor or government organization), where the third-party is located and who the contact person is. |
| Privacy | A due diligence, focused on privacy matters, to consider the third-party’s reputation, experience, history of incidents, and corporate policies and procedures, particularly as they relate to data security and privacy. |
| Contract |
Information on the legal agreement between the third-party and the organization, to understand what is in scope, when the contract begins and ends, what the status of the relationship is, and to which internal business the product or service is being provided. |
| Service | It’s important to consider how each third-party will interact with your data. Will they be collecting, assessing, processing, transmitting, or storing your data? This information is provided here, including where it is hosted, what data agreements are in place, what type of private data is involved, and so forth. Such information helps your organization evaluate the potential privacy and security risks that could arise if you engage with the third-party. |
| Risk | Creating a comprehensive risk profile for each vendor allows you to determine the level of risk to your organization, by measuring the probability or likelihood of risk against the severity of the consequence. The Third-Party Privacy Profile can help your organization determine whether your third parties are low risk or high risk, so you have a system that enables you to prioritize vendor risk appropriately and develop a targeted strategy to address these risks. |