The PDPA and Third-Party Risk Management

Advisory Guidelines on Key Concepts in the PDPA: How to Comply with TPRM Requirements

it is critical to ensure that third parties use the strongest security controls when storing, managing or maintaining your organization's customer data. This section maps best practices to select articles in the PDPA to help your data privacy teams ensure that third parties are meeting data protection obligations.

NOTE: This is a summary of the most relevant articles only, and it should not be considered comprehensive, definitive guidance. For a complete list of articles, please review the complete document in detail and consult your auditor.

The Data Protection Obligation, 17.3 c)

The PDPA requires organizations to “Implement robust policies and procedures for ensuring appropriate levels of security for personal data of varying levels of sensitivity.”

To address these requirements, organizations should consider defining the following criteria as part of their third-party risk management program:

• Governing policies, standards, systems and processes to protect data
• Clear roles and responsibilities (e.g., RACI) for all members of the team
• Risk scoring and thresholds based on your organization’s risk tolerance
• Assessment and monitoring methodologies based on third-party criticality
• Fourth-party mapping to determine upstream dependencies
• Sources of continuous monitoring data (e.g., cyber, business, reputational, financial) to provide constant insight into emerging risks to data
• Contractual key performance indicators (KPIs) and key risk indicators (KRIs) to measure against
• Reporting to meet the needs of multiple internal (and external) stakeholders
• Risk mitigation and remediation strategies, including the applicability of compensating controls

Many organizations choose to align with an accepted risk management framework, such as ISO, to accomplish this. If you are looking to automate the process of measuring your TPRM program against an industry framework, be sure to select an assessment platform that provides several pre-built questionnaire options that align with multiple frameworks.

The Data Protection Obligation, 17.3 d)

The PDPA requires organizations to “Be prepared and able to respond to information security breaches promptly and effectively.”

Rapidly identifying, responding to, reporting on, and mitigating the impact of third-party vendor incidents is impossible to achieve manually or without a solid incident management foundation. Key capabilities to examine as part of your incident response program include:

• Continuously updated and customizable event and incident management questionnaires to maintain flexibility in the face of ever-changing threats
• Real-time questionnaire completion tracking to ensure acceptable progress is being made
• Defined risk owners with automated chasing reminders to keep surveys on schedule
• Proactive vendor reporting to enable third parties to self-identify incidents
• Consolidated views of risk ratings, counts, scores and flagged responses for each vendor
• Workflow rules to trigger automated playbooks to act on risks according to their potential impact to the business
• Guidance from built-in remediation recommendations to reduce risk
• Built-in report templates
• Data and relationship mapping to identify relationships between your organization and third, 4th or Nth parties to visualize information paths and determine at-risk data

The Data Protection Obligation, 17.4

PDPA suggests that organisations undertake a risk assessment exercise to ascertain whether their information security arrangements are adequate. In so doing, the following factors may be considered:

a) the size of the organisation and the amount and type of personal data it holds;

b) who within the organisation has access to the personal data; and

c) whether the personal data is or will be held or used by a third party on behalf of the organisation.

To address these suggestions, consider the following capabilities:

Self-Assessments

Conduct an internal Privacy Impact Assessment (PIA) targeting the most sensitive privacy-related data and business processes with the highest risk. The PIA evaluates the origin, nature, and severity of the potential risk. It also provides recommendations to mitigate identified risks, ensuring future compliance with privacy regulations.

Third-, Fourth- and Nth-Party Data Discovery and Mapping

Assessments and passive scanning can enable relationship mapping to trace data transfers between business relationships, identify where data exists, where it flows, and who it is shared with outside the organization.

Vendor Risk Assessments

Examine third party data privacy controls against PDPA using a common framework such as ISO. Specific questionnaire content helps to identify risks and map them to controls for a clear view of potential hot spots. As part of this process, continuously monitor the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.

Risk Response and Remediation

Establish thresholds and automate risk identification based on them. Leverage workflow rules that escalate identified risks to the proper stakeholder for immediate review and disposition. Offer third parties prescriptive remediation recommendations to hold them to account.

Compliance Tracking and Reporting

Structure compliance reporting against PDPA requirements using a common industry framework such as ISO. That will enable you to automatically map risks and responses to controls, provides a percent-compliant rating, and delivers stakeholder-specific reporting to provide visibility into data security.

Continuous Breach Event Notification Monitoring

Stay on top of potential risks to data by monitoring data breach databases. They will provide insight into types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications.

How Prevalent Helps Address PDPA TPRM Requirements

Organizations that must comply with PDPA should ensure that third parties with whom they share personal information have controls in place to protect that information. Prevalent offers organizations with a scalable third-party risk management platform that addresses data protection risks. The Prevalent Platform:

• Sets a strong foundation for third-party data protection with a comprehensive TPRM program
• Delivers visibility into where privacy data is, how it flows, and who has access to it
• Speeds risk identification and remediation, mitigating breach costs and reputational damage
• Generates targeted reports for regulators, vendors and internal stakeholders
• Continuously monitors for breaches and accelerates incident response to mitigate the risk of a damaging and expensive data security incident

With Prevalent, vendor, security and privacy teams have a single, collaborative platform for conducting privacy assessments and mitigating both third-party and internal privacy risks.

For more information about Prevalent solutions for PDPA compliance, download our comprehensive PDPA compliance checklist or schedule a demo.