Why should Third-Party risk and Data Privacy be top of mind for organizations?

Third-Party risks and Data Privacy should be top of mind for organizations because almost all organizations use third parties. Most will have to make adjustments to manage the regulatory and operational changes needed now and in the near future. 

Organizations are grappling with a dizzying array of new Data Privacy and Data Protection regulations.  A recent Gartner study predicts that by 2024, 75% of the global population will have its personal data covered under privacy regulations. 

As the regulatory landscape continues to expand business obligations and tighten by requiring businesses to change how they manage data, organizations need to pivot from a reactive stance to a proactive stance on Data Privacy issues to thrive. I created a five-minute video explaining why Third-Party Data Risk would be a top-of-mind issue for organizations in 2022 and beyond. 

Third-Party data risks are not a new challenge. However, growing Data Privacy and Data Protection regulations require organizations to be more accountable and transparent in how data from First-Party data holder organizations are handled when data from data stakeholders (consumers, data subjects, etc.) is transferred to third parties. Many existing regulations like the EU's General Data Protection Regulation, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) make a fine point to highlight the requirements for transparency to data stakeholders and some legal basis mechanism for making Third-Party data transfers.  Each jurisdiction is different in what they consider appropriate to make these data transfers lawfully. However, it is safe to say that more changes and complications may arise that organizations should be prepared to address proactively.  Organizations need to consider three areas now: the rise of consent as, in some jurisdictions, a primary legal basis for third-party data transfers, operational adjustments needed within organizations to manage Third-Party risks and grappling with new data transfer agreements.  

The rise of consent as a legal basis

The EU's GDPR remains the most comprehensive and influential Data Protection Regulation globally. As such, many jurisdictions that have passed Data Privacy and Data Protection regulations have liberally borrowed the outline of determining what is considered a "legitimate interest" when organizations are using the data of individuals.  In the EU GDPR, consent is one of six categories of legitimate interest and the one that many organizations depend on only as a last resort. Consent is more difficult for organizations because consent is fragile and requires organizations to implement mechanisms for individuals to record affirmative consent and provide the ability for individuals to revoke consent. Some regulations like China's Personal Information Protection Law (PIPL) and the UAE Protection of Personal Data Law (PPD) consider consent a primary legal basis for Third-Party data transfers. We are also seeing organizations like Apple, with their App Tracking Transparency Framework (ATT), limit their own Third-Party risk by requiring third parties to create First-Party relationships directly with data stakeholders for advertising purposes. As more influential tech companies and regulations focus more on consent, many third parties will need to adjust to a world where they must find alternatives to Third-Party data acquisition. 

Operational adjustments to Third-Party data transfer risks

Organizations are grappling with a major operational change in what regulators and data stakeholders expect from them. For example, the type of transparency that regulations expect organizations to have with data of individuals has been difficult to achieve with legacy technologies because many were not built to provide the level of transparency required nor the capabilities to extract or delete data on an individual basis.  Organizations either have to find creative ways to develop transparency and deletion capabilities with existing systems of investment in technology and talent that will enable capabilities to manage new expectations brought on by new regulations. For example, the Norway Data Protection Authority fined LGBTQ+ location-based social networking app Grindr 7.1 million dollars (65 million NOK) for transferring sensitive data about app users, including sexual orientation, to third parties for advertising purposes. Information about the location, device ID, and sexual preferences was shared with third parties who used the data for behavioral advertising.  Organizations need to be aware that dealing with data of individuals may require operational changes in how data is managed that were not previously necessary.

Data Transfer Agreements

Although data transfer agreements like EU Standard Contract Clauses (SCCs) are not new, the data landscape has greatly expanded. As a result, the Internet and increased capabilities to do data transfers in the digital world. In addition to the most recently updated EU Standard Contract Clauses and the new UK Standard Contract Clauses, many other regulations require documentation between First-Party and Third-Party data holders to clarify the obligations that they share, including the facilitation of responses to regulations or data stakeholders.  These new obligations for Third-Party data holders often materialize as vast questionnaires or updated addendums to service contracts. This is the new normal and third parties should expect to be asked to do more related to Data Privacy and data protection when receiving First-Party data. 

When organizations can revaluate their current Third-Party data risks, they will be far ahead of other organizations and make Data Privacy a business advantage.