How Companies Need to Treat User Data and Manage Their Partners

Pierluigi Paganini May 12, 2021

After the introduction of CCPA and GDPR, much more attention is given to third-party risks, and the privacy terms and conditions users agree to. 

Global privacy regulations, such as the CCPA and GDPR, were enacted to ensure stricter standards when handling the personal data of consumers.

As per these regulations, organizations can be held responsible for their vendors’ inability to comply with regulations. It becomes more and more important as organizations are becoming reliant on third-party vendors.

A Deloitte poll revealed that 70% of respondents admitted to highly or moderately relying on external entities. Overall, the dependency seems to be growing, but respondents claimed to have little to no options for dealing with threats that arise from it. 

Therefore, it is paramount that organizations run a thorough assessment of these third-party vendors and analyze their risks before entering a partnership with them. After all, web owners should prioritize users and whether potential partners won’t do anything to compromise their trust.

Importance of Vendor Assessment

Linnea Solem, Founder & CEO of Solem Risk Partners, has stated that the introduction of CCPA and GDPR has started a revolution. Now, much more attention is given to third-party risks, and the privacy terms and conditions users agree to. 

Article 28 of the GDPR requires businesses to only partner with vendors to manage data with a written contract. They must indicate the subject matter and duration of the processing, the nature, and purpose of the processing, the type of personal data, and categories of data subjects and the obligations and rights of the controller.

Such a contract must stipulate that the vendor/processor will process the personal data only on documented instructions from the controller. They must also ensure other sufficient safeguards to ensure the confidentiality of the data to comply with the requirements of the GDPR fully.

The CCPA requires businesses to supply specified information to consumers about their third-party data sharing. It also obliges them to notify their vendors when a consumer has requested to have their data deleted.

The CCPA also requires businesses to sign written contracts with third parties, service providers or any other entities who are sold or are disclosed consumer data for any commercial and business purpose. Businesses must ensure that these entities understand and respect the consumers’ data rights and do not use the data in any manner inconsistent with the purpose for which it was originally collected. It is also necessary to provide notice to the consumer if it is being sold further.

Data breaches and other threats

In the case of third parties, businesses that sell consumer data to third parties can be held liable for any violations of the consumers’ rights under CCPR by the third party, if the business which sold the data knew or had reason to believe that the third party intended to violate the data rights of consumers.

Keeping these laws in mind, vendor assessment has become almost an obligation to stay compliant with these laws and avoid any fines or penalties. There have been incidents in recent years where third parties have had data breaches with catastrophic results. An example of this can be traced back to June 2019, when an unauthorized user gained access to Quest Diagnostic’s sensitive data through a billing vendor by the name of the American Medical Collection Agency (AMCA). The culprit gained access to sensitive data of 11.9 million patients, including credit card numbers, bank account information, and even social security numbers.

It was one of the biggest third-party data breaches of all time, and there have been several more that occurred the same year. This is why organizations need to be careful when they onboard a third-party vendor for handling their consumers’ data.

Vendor Assessment Process

When assessing the risk associated with a third-party vendor, organizations need to consider three main points: data protection, privacy violations, and respect for consumers’ data.

1.   Data Protection

Data protection consists of the procedures implemented by the vendor to protect the data that it harvests, processes, and shares. Most of them relate to safeguarding data from misuse and reassuring that all procedures abide by the active regulations. Some of the risks relevant here are the following:

  • Data Collection: Analyzes the risks around the vendor’s data collection processes, including the richness of notification messages, which should consist of reasons for collecting data and the categories of personal data collected.
  • Data Storage: Evaluates the risks around the vendor’s data storage and data retention capabilities to understand how effective they are in keeping sensitive data safe and secure. Critical capabilities analyzed should include transport-level encryption, encryption at rest, access control mechanisms, etc.
  • Data Sharing: SaaS, IaaS, and PaaS vendors get a lot of information about their users. All of these details can be used wrongfully. For instance, they could accidentally leak. They can also be sold to other third parties. Lastly, they can be misused. It’s essential to review and recognize how the data is used or monetized by vendors. Other critical risk factors to analyze are the financial incentives baked into contracts and agreements to collect and sell personally identifiable information.

2.   Privacy Violations

A good indicator of a vendor’s privacy health comes from the number of incidents resulting in a fine from a regulatory body or the number of data breaches experienced by the vendor. Little to no violations indicate a sound security posture. Companies have the responsibility to pick reliable vendors processing data on their behalf.

3.   Respect for Consumers’ Data

The ability to fulfill customer data requests for the data it collects/processes is a good indicator of the maturity of its privacy program. Responsible vendors incorporate privacy best practices into their design and development processes. These qualities are of significant operational value to the business. Evaluating the vendor’s capability to handle consumer data requests is an essential part of vendor assessment.

Analyzing all these steps without the help of automation can be a long, tedious task that would require several staff hours and resources, all the while increasing risk of human error. A task as meticulous as this is best done through automation. Automation will help organizations swiftly get through assessment processes and stay compliant, freeing up resources for areas that matter most. As time goes by and laws get stricter, automation will be the only way forward.

Key Takeaways

Concerns over digital privacy and personal data misuse are becoming more prominent each year. Many consumers feel that they have lost trust in many online services. Thus, they are bound to be more careful when picking which services or apps to use. As a workaround, many users turn to tools that appear to offer better conditions. The best place for consumers to start is to find a reliable browser. For instance, Google Chrome might no longer seem like the top choice due to the privacy issues experts highlight. Additionally, you can use the power of GDPR to report activities that seem to violate the act.

Another tool for limiting access to your personal information is a VPN (Virtual Private Network). A VPN app will encrypt information about your browsing activities. Frequently, our online actions can define us as a person. For instance, our browsing patterns can clearly show our political views, sexual orientation, mental state, location, etc. Thus, an effective way to limit access to such data is to reroute it through a secure VPN tunnel.

All in all, organizations will need to assess the risks associated with their vendors before starting a relationship with them like. Companies will have to analyze all the aspects of their potential vendors concerning risk and security before choosing the right one. This is a long, meticulous task that could seem inefficient and time-consuming. Organizations should implement automation to make this process swift and productive with minimized error and complete compliance.

About Author: With a passion for working on disruptive products, Anas Baig is currently working as a Product Lead at the Silicon Valley based company – SECURITI.ai. He holds a degree of Computer Science from Iqra University and specializes in Information Security & Data Privacy.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, user data)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment