The modern business world is increasingly interconnected as vast amounts of personal data, and access to this data, are shared with third parties for business efficiency.
Although this makes many business processes easier and cost-efficient, it also increases the risks arising from the involvement of third parties. For instance, Fullerton Health suffered a data breach as a result of a hack of their vendor's server in October 2021.
Despite good intentions to provide useful products and services, data breaches can happen to any organisation, in any industry, as long as they collect, use and share any form of personal data. Hence, knowing how to do the necessary due diligence in appointing and managing a third-party vendor is vital for your organisation’s data protection posture.
A recent victim of a third-party data breach was Singtel, which had a third-party file-sharing system hacked in December 2020. The telco called the incident a "sophisticated cyberattack which included exploiting a previously unknown vulnerability.”
Another example of a third-party data breach took place in Malaysia, where a e-wallet service provider, Kiplepay, suffered a data breach involving its payment gateway vendor in Aug 2022. The company called the case a “recent potential third-party data breach incident” and investigations are ongoing.
To effectively manage third-party vendor risk and performance, it is imperative to have the necessary knowledge and expertise in this area. Key personnel in organisations can get hands-on in learning about third-party management through a simulated due diligence exercise in our course here.
Most organisations make the following mistakes in the effort to procure a credible third-party vendor for outsourced services. These mistakes can be costly to the company in terms of financial losses, time and, in some cases, sustaining reputational damage and loss of revenue due to a breach.
Some errors made include:
As part of effective third-party management, companies who work with third parties would evaluate the performance and risk posed by each vendor. In data protection, organisations would look at a framework called APSR (Assess, Protect, Sustain and Respond) when managing data protection activities, risks, and controls.
When handling third-party vendors, organisations can also choose to follow a similar approach as APSR. Throughout each stage of the framework, organisations need to be mindful of various factors before engaging a vendor.
With more stringent requirements based on the evolving regulatory environment, it is vital for organisations to establish effective third-party management governance. To do so, a third-party management plan should be formulated and aligned to the overall governance, risk management and compliance (GRC) strategy of the organisation.
Some factors to consider when developing the third-party management plan:
For more Data Protection resources, visit www.dpexnetwork.org. Sign up for free as a member to have full access to all content. This article was first published on 17 December 2021.
Get access to news, enforcement cases, events, and actionable tips and guides
Get regular email updates and offers
Job opportunities, mentorship and career guidance
Exclusive access to Data Protection community - ask questions, network and share knowledge with peers and experts via WhatsApp and Linkedin
DPEX Network is a Community Initiative of Straits Interactive.
Copyright © Straits Interactive Pte Ltd. All Rights Reserved.
All intellectual property rights to logos and brands featured on this website remain the property of their respective owners.