Episode 3 – Privacy Top 10 FAQs for the Supply Chain
Managed Privacy Canada has compiled a list of questions and suggested privacy actions and controls for organizations of all sizes to review before engaging the services of a third-party:
|Privacy Question||Privacy Action or Control|
|PQ1. Do you understand if the service provider is legitimately covered by any privacy legislation in the country/ies where they operate?||PAC1. This is a legitimate concern in Canada, where certain organizations are not subject to PIPEDA nor any other provincial legislation (for example in Ontario). So be sure the third parties you would like to engage have compliance obligations and are covered by the applicable laws in the jurisdictions your organization operates in.|
|PQ2. Does the vendor have a Privacy Notice posted on their website?||PAC2. A Privacy Notice is legally binding: if they make any promises, they can be held responsible to them and so can you. |
Use the third party’s Privacy Notice to investigate their privacy program
|PQ3. Did the third party suffer any breaches in the past that they needed to disclose to a regulator||PAC3. The vendor should disclose to you such information, especially if it was made public. It is important for you to know if you can rely on them to do the right thing in case of a breach. |
It is important to know if third party vendors are aware of the obligation to notify you in a breach situation, according to the Privacy Law(s) in your jurisdiction
|PQ4. Does the third party have a vendor risk assessment and management competency for its own suppliers (down the chain)?||PAC4. Ask to see the template they use (or at least the topics they are considering): this should reflect their own internal policies and practices as well as legal requirements and will give you an opportunity to find gaps between the third party’s controls and yours.|
|PQ5. Has the third party performed a PIA on the service or product it is offering?||PAC5. A PIA is better than an Audit because an Audit sounds very official and costly. Sure you should include the “right to audit” in your contract with the third party and of course you should ask for a third party audit report. |
But remember: in a PIA, you have to see how data flows and safeguards, and that includes sub-contracted third party providers
You can then ask to see the due diligence performed on the subcontractors and the terms of their contracts with respect to privacy requirements so you can be sure if you can get access to your customer’s data.
|PQ6. Ask the obvious question: if you collect data on my organization’s behalf, what prevents you from using it without our instructions?||PAC6. You need to see the third party’s controls to ensure they align with Privacy by Design principles, where the control belongs to the primary organization in charge of the data (your organization). Access controls, audit logs of access, and other important controls limiting how the third party can access your data need to be thoroughly investigated and reviewed.|
|PQ7. Ask to see the third party’s employee mandatory Training and the Awareness plan.||PAC7. The training focus and topics will tell you if the organization is providing the right amount and level of information to its employees. Also, the awareness topics may indicate in many instances gaps the organization found internally and their efforts to address these with their employees. Your organization can offer to augment their training to reduce your own risk to an acceptable level.|
|PQ8. Ask about the third party’s backups and any offshore storage||PAC8. You need to understand where the backups are, additional storage and the status of encryption. You may need to involve your information security colleagues but that’s ok. Privacy is a team sport.|
|PQ9. Inquire into their Business continuity and Crisis Management plans||PAC9. You need to understand what is considered a critical asset and how will your organization be provide availability of customer data. You need to know if the third party has a Plan and if it is regularly tested – ask for proof!|
|PQ10. Do you have an exit strategy if things don’t work out?||PAC10. Third party vendors need to know that you have other options, in case they become too big a risk for your organization. But you need to plan that carefully: through sourcing, contract terms and conditions – particularly regarding unmet privacy and security requirements|
CNIL – the French Privacy Regulator – has clarified the responsibilities of processors early on to support the correct GDPR interpretation and implementation.
Mettre à la disposition de votre client toutes les informations nécessaires pour démontrer le respect de vos obligations et pour permettre la réalisation d’audits (sur la base, par exemple, du référentiel de la CNIL pour la délivrance de labels en matière de procédure d’audit).
(in short translation: [Third parties] have to provide their clients all the necessary information that supports them to demonstrate how they respect their obligations to be audited)
It is important to educate third parties on existing standards and requirements that client organizations need to respond to, including specific Audit standard they need to prepare for. Third parties play their part by enabling their client organizations (primary organizations) to prove accountability and compliance with privacy laws, by demonstrating:
- How data is protected on the third party’s network
- How data protection rights can be activated by the client organization
- How the third party responds to breaches
- Their awareness of the legal implications of data offshoring – and additional safeguards
- Data localization restrictions in certain countries and possible conflict with Privacy Laws
- Data segregation on the third-party network
- Architecture for the specific product/service is compatible with Privacy by Design
Honesty is the “best policy”.
The OPC recommends that Organizations need to make it plain to individuals that their information may be processed in a foreign country and that it may be accessible to law enforcement and national security authorities of that jurisdiction. They must do this in clear and understandable language. Ideally, they should do it at the time the information is collected.
Third party risk management is the responsibility of the primary organization that is entrusting consumers (or employees or both) data to a third party service provider. The primary organization is ultimately responsible to ensure their partners and suppliers conform to their standards.
For any additional resources for handling your Supply Chain Privacy download our Practical Privacy Playbook and uncover your supply chain due diligence tools we have to offer.
For additional insights and certified expertise:
 NIST 800-53 rev 5
 standard NF ISO 19011 (Guidelines for auditing quality management systems and / or environmental management, 2002) and in adapting them to the specific context of “IT and freedoms” auditshttps://www.legifrance.gouv.fr/jorf/id/JORFTEXT000024742533