Can your third parties be trusted to protect your personal data? Monitoring your supply chain
March 19, 2019
My first client meeting on Wall Street was a tense one. The year was 2014; I had just started my secondment to the New York office, and the Fed had started ramping up their scrutiny of outsourcing regulatory compliance, following in the footsteps of the UK PRA, to shine a light on the management of third party and inter-affiliate relationships. The senior management team was feeling the pressure to act, but had no appetite to kick start yet another regulatory change program. Instead of increasing the pressure with tales of my war stories from the UK, I asked questions to tease out what third party risk management (“TPRM”) practices they already had in place. In particular, how could they leverage their existing TPRM framework to demonstrate compliance?
All too often, regulatory compliance is considered in isolation, rather than holistically alongside existing frameworks. This results in layers and layers of process, duplication and additional cost. In a world where businesses are proliferating and business models seek to outsource non-core functions, third party trust is more important than ever. It is not the first time, certainly nor will it be the last, that third parties are playing a key part in whether your business is compliant.
Parallels therefore can and should be drawn between that meeting in 2014 and the live GDPR environment today: how are you leveraging your existing TPRM framework to demonstrate GDPR compliance in relation to the monitoring of your third parties?
Clearly, data privacy is a complex area and needs its own considerations with many of its own processes. However, in order to have a fighting chance of processes not falling over and having longevity, they need to leverage existing processes where possible. Organisations who get this right consider the end-to-end TPRM framework design and make deliberate, considered decisions about where there should be convergence and divergence in overlaying additional requirements. They then implement appropriately, saving cost, time and resource energy in the long run.
Because this is not just a band-aid approach, it takes longer to implement, but crucially it makes the TPRM framework more resilient to change and nimble enough to embed new regulation in the future. And with regulators increasingly focused on continuous compliance, having a framework that enables rapid response to any question from the regulator is crucial.
So if you find yourself feeling a similar tension to my Wall Street conversation, wondering how to tackle third party trust with GDPR, instead of opting for a quick new fix, think about using existing frameworks and developing them for longevity. Your future self, and the business, will thank you for it.
For further information on these and other insights, don’t hesitate to reach out.