Managing privacy risk through third-party risk management

Brad Gilliat, Luke Pillarella
10/4/2023
Managing privacy risk through third-party risk management

A third-party risk program can help life sciences organizations operate more effectively and securely while reducing privacy risks.

Managing risks while outsourcing key functions is a significant challenge that life sciences leaders face. Recent increases in digital technology enablement only exacerbate the reliance on suppliers, partners, and third parties, particularly technology providers. Leaders must mitigate a wide range of risks when selecting and managing third-party relationships.

In response to the increasing use of third parties, which can be attributed at least in part to COVID-19 pandemic-related, evolving customer models, life sciences organizations should strongly consider maturing their third-party risk programs before they experience a significant issue caused by a third party.

Privacy challenges

Life sciences organizations have several industry-specific, high-risk, third-party privacy challenges, including:

  • Clinical trials. Clinical trials involve collecting substantial amounts of personal data from human subjects, making privacy a crucial concern. Third-party contractors often are used in clinical trials for various functions, such as data management, monitoring, and analysis. As such, a third-party risk program can help organizations protect personal information collected in clinical trials and share it only with those who require access.
  • Data sharing and repurposing. Life sciences organizations often repurpose data for use in another study or project, which can increase the risk of unintended uses and data breaches. Organizations may implement a third-party risk program to help verify that third parties handling this data are properly vetted and comply with relevant privacy regulations.
  • Privacy risks. Life sciences organizations handle sensitive personal data, necessitating a robust approach to protecting privacy. A comprehensive third-party risk program is essential to mitigate privacy risks associated with third-party relationships. Organizations can minimize the potential privacy risks by requiring that third parties adhere to privacy regulations and implement appropriate privacy measures.

A mature and robust third-party risk program can help life sciences organizations comply with applicable privacy regulations and address privacy-specific risks associated with third-party relationships. Such privacy risks include managing cookies and tracking technologies, handling data subject requests, achieving and maintaining compliance with consent requirements, and protecting sensitive personal information across various touchpoints. Noncompliance can have severe legal, regulatory, operational, and reputational consequences for both parties, so it is imperative for life sciences organizations to strengthen their third-party compliance monitoring capabilities. For example, under the European Union’s General Data Protection Regulation, controllers are responsible for confirming that their processors comply with the regulation, and they could be liable for their processor’s violations. Similarly, corporate directors and management must make sure the company conducts due diligence when contracting with third parties, including privacy matters.

Components of a comprehensive third-party risk program

Effective compliance programs typically involve people, processes, technology, and governance. Life sciences organizations should determine the configuration and maturity level appropriate for their industry, risk profile, and processing activities.

People

At its core, an effective third-party risk program is built on a foundation of accountability. Simply put, life sciences privacy leaders must formally assign responsibilities for various parts of the third-party risk program to qualified personnel.

Depending on the estimated number of current third parties and available resources, a privacy leader might opt to staff a nascent program with a dedicated privacy operations analyst and task that individual with conducting the third-party privacy risk assessments. In smaller organizations or privacy programs with tighter budgets, existing third-party security risk staff might be enlisted to take on the additional responsibility of privacy assessments. This resource likely could take on responsibilities for maintaining the vendor data inventory, administering the assessment questionnaires, third-party risk tiering, and configuring related tooling. Many leaders find outsourcing arrangements, particularly those based in low-cost geographies, suitable for accommodating the ebb and flow typical of low-volume operations.

Additionally, the legal function must explicitly perform several processes. Namely, privacy counsel should prepare, negotiate, and review each data processing agreement and, where applicable, standard contractual clauses entered with third parties. And because legal likely is where the life sciences data privacy officer sits, the function also will need to be responsible for advising on and monitoring the corresponding data protection impact assessments and transfer impact assessments.

The third-party risk management team must work directly with the privacy officer to verify compliance with privacy requirements. Roles and responsibilities should be formally defined and documented in the appropriate governance documents. High-level descriptions are typically memorialized in the data protection policy or a separate privacy roles and responsibilities policy. Process-level roles are similarly defined in the standard operating procedures (SOPs), or in this case, the third-party privacy risk SOP. By defining and documenting these roles and responsibilities, the life sciences organization can help everyone know and understand their obligations to the program.

Processes

SOPs are excellent means of defining, documenting, and formalizing processes. Written SOPs can be mapped to relevant regulatory requirements and used as evidence of audit compliance. However, sometimes organizations need to capture greater detail than typical governance documents provide. In those situations, life sciences organizations can prepare detailed process documentation, including, but not limited to, process model illustrations and a program charter.

A program charter outlines the principles and objectives of the third-party risk program. It is a foundational document that sets the direction and framework for the entire program. Within this program charter, it is essential for organizations to explicitly include adherence to privacy regulations as a fundamental tenet. By doing so, organizations demonstrate their commitment to integrating privacy considerations into the third-party risk framework from the outset.

Technology

Technology is indispensable to managing the third-party risk program. It helps to streamline and improve the efficiency and effectiveness of the underlying tasks and activities. With better tools in place, privacy leaders can avoid manual workflows in which third-party privacy assessments must be emailed, causing delayed responses and difficulty tracking assessment statuses and performance metrics.

Additionally, vendor data inventory services can provide valuable assistance in inventorying essential information about third parties used to evaluate their organizational risk; however, the need for privacy leaders to manage vendor information and keep records up to date still exists. Software platforms also typically offer out-of-the-box, or easily configurable, assessment workflows, periodic notifications, triggers for the automated launch of assessments, and a library of questionnaire templates based on third-party standards (for example, standardized information gathering).

As with staffing options, privacy leaders can explore opportunities to use and reuse third-party security program infrastructure for privacy purposes. At the very least, privacy should capitalize on the synergies by using the same software tools as the security team. Greater efficiencies can be obtained by using a shared automation workflow and preliminary questionnaire template. Further, staff performing tool configuration and implementation may be shared to build automation for both programs.

Governance

In the context of third-party risk, governance plays a key role in guiding and overseeing the program’s activities. This oversight includes defining the governance structure, roles, and responsibilities related to privacy risk management. Moreover, a well-defined governance framework can help all personnel be aware of their obligations and actively participate in the program.

Within the governance framework, life sciences organizations should consider the development of comprehensive third-party privacy risk policies that address privacy risks associated with third parties. These documents provide clear guidance on how privacy risks should be assessed, managed, and monitored within the organization. Policies should define the critical aspects of the third-party risk program, including a rendition of the most important regulatory requirements related to processors, data protection agreements, due diligence, and termination.

Furthermore, the governance framework should facilitate effective communication and collaboration among different departments, such as privacy, legal, procurement, individual business units, and other risk domains. A coordinated approach provides clear lines of accountability and establishes escalation procedures.

By emphasizing the importance of governance, life sciences organizations can establish a solid foundation for their third-party risk program. A well-designed governance framework promotes transparency, accountability, and effective risk mitigation, helping organizations protect sensitive data and maintain compliance with global regulations.

A practical approach to designing and implementing a third-party risk program

Two privacy program workflows should be established – ongoing monitoring of existing third-party relationships and onboarding of new third-party relationships. Privacy leaders should consider whether these will consist of two separate and distinct assessments or cover the same ground. Additionally, the organization should determine if it is open to alternative evaluation methods, including self-assessments, providing an independent audit report, or attestation.

Life sciences organizations should begin the first workflow by identifying the scope of the third parties they already work with, prioritizing high-risk relationships such as research partnerships with clinical research organizations or contract research organizations. They can do this by obtaining a third-party list from procurement or accounts payable systems, reviewing existing contracts held by legal in its contracts management tool, and querying third-party asset data in their information security team’s asset inventory.

The biggest challenge in the second workflow is figuring out how to bring 100% of the company’s procurement transactions within the purview of the newly established third-party risk program. Typically, a substantial percentage of buying happens only through a centralized procurement process. There are likely price amount thresholds, among other criteria, that exclude most third-party purchases from formal review. Thus, going beyond a sole reliance on the corporate procurement process as an entry point to onboarding third parties will be required. A policy must require buying personnel to notify privacy or, even better, complete a preliminary privacy impact assessment and provide records of processing activity assessment, or both upon completing a particular phase of purchasing privacy-relevant technology or services.

New third-party relationships could be prevented from proceeding to payment until approved by relevant privacy stakeholders. This requirement should be memorialized in the procurement policies and procedures, not just in privacy governance documents. Further, even where legal takes responsibility for conducting some of the privacy-assessment checks, this approval should remain separate and distinct from legal’s approval as the evaluator of commercial transactions.

Next, the appropriate third-party privacy assessments should be implemented for both workflows to identify risks and determine whether the workflows are within the life science organization’s risk appetite. If the evaluation determines that third-party risk is too high, existing third-party relationships should undergo mandatory remediation procedures, while new third-party relationships should be refused the necessary approvals. Timely resolution of issues should allow the third-party relationship to proceed until the following periodic review, using a risk-based approach to the review periods.

Finally, a process should be defined, implemented, and conducted for off-boarding or terminating third parties at the end of a relationship, including the return or destruction of personal data held by the third party. Confirmation of the third-party responsibilities under this process can be provided by attestation or, in high-risk situations, proof of deletion.

Benefits of a mature third-party risk program

A mature third-party risk program can benefit life sciences organizations and their third parties. By implementing a well-designed and managed program, both parties can enjoy the following benefits:

  • Enhanced trust and reputation. A mature program helps build trust between the organization and its third parties by demonstrating a solid commitment to privacy, thereby improving the reputation of both parties.
  • Greater compliance. A mature program can reduce the risk of legal action against the organization and its third parties by helping maintain compliance with relevant privacy regulations.
  • Increased efficiency. A mature program streamlines privacy processes by reducing the manual effort required for some tasks and freeing up resources for more strategic initiatives.
  • Better risk management. A well-designed and executed program helps the organization and its third parties better understand, manage, and reduce privacy risks associated with working together.

Mature third-party risk programs can help life sciences organizations and their third parties operate more effectively and securely while reducing the inherent risks of working together.

Contact us

Brad Gilliat
Brad Gilliat
Principal, Consulting
Luke Pillarella
Luke Pillarella
Consulting