Third-Party Risk Management: Protecting Data Privacy

Protecting data privacy is a critical component of third-party risk management.

chain link fence close-up in dark

Published April 28, 2015   •   2 minute read

It is no secret that today’s business world is driven by technology and digital data storage. Never before in history has the collection and transfer of information between businesses been done as rapidly or at such high volume. While this allows for businesses to scale their services at a rate never before imagined, it creates a number of potential problems when dealing with sensitive personal information. 

Data privacy protection is especially tricky when a business chooses to work with a third-party organization to collect or manage its data. In the modern business world it is imperative for companies to not only recognize what data is considered to be “sensitive”, but also to be proactive about ensuring that it is kept private and secure.

Secure Sensitive Data

The data that is the most significant and potentially harmful if compromised is any type of data that can be directly linked to a particular individual. This data, known as Personally Identifiable Information (PII), includes social security numbers, credit card information, medical records, etc. Many businesses store such information on a regular basis, but most do not adequately protect it.

While there are many pitfalls associated with managing digital data privacy, companies can take steps to ensure that their data remains secure both in-house and when working with third-party data management vendors.

  • Understand the risks of working with third-party vendors. Sharing key PII with a third party can lead to a loss, especially when the vendor’s financial controls are not properly certified by a recognized accounting standard such as the SSAE 16 Type II (SOC 2).
  • Be wary of nested third party relationships. You may have vetted a particular service provider thoroughly enough to trust them with your business’s most sensitive PII, but this does not mean you are completely safe. Companies must also ensure that any and all outside entities involved with its vendors are abiding by all data security standards.
  • Be proactive when planning for a third party data compromise. Ensure that your company has a clearly defined procedure for handling security breaches that occur externally to the organization. These procedures should be tested and have comprehensive standardized reporting to limit loss and prevent future incidents.

The Bottom Line

The points above are but a few of many things a business can do to protect itself from a loss related to third party data security compromises. All of these steps and more can be best implemented through an all-inclusive vendor risk management program, like the full-service solution by Business Credentialing Services (BCS). BCS is a SOC 2 certified organization that is experienced in providing tight data security for its clients and ensuring that all clients’ vendors meet contractual insurance requirements in the event of a loss.

Outsourcing this process allows business to focus on providing their products and services to their clients knowing that all of their sensitive data is being properly managed.

If you prefer to manage your COI tracking in-house, BCS's self-service solution equips you with best-in-class technology for maintaining documentation and puts you in control of review and correction. 


Matney, Angela R., and Brian W. Fannin. "The Challenges of Third-Party Data Privacy Protection." Risk Management : 33-37. Print.

Leave a Comment