This article originally appeared in Corporate Compliance Insights on April 16, 2018
The Importance of Digital Vendor Management
The digital age breeds constant change – none more powerful than the availability of data and, more specifically, the ease of collecting and using personal data. For industry, this data has the power to both accelerate new opportunities for growth and act as an anchor to drag down momentum. In an era where businesses prize data and guard against its misappropriation, its troubling that this discernment doesn’t carry over to the digital environment, where countless third parties and partners on enterprise websites and mobile apps have access to personal user data, often without a company’s knowledge.
Impending regulations and the changing political landscape require a more cautious approach to the collection, use and sharing of personal data. Threats of not only hefty fines, but also long-term reputational damage induce enterprises to take a closer look at their own websites and mobile apps to understand exactly which partners execute code and which capture personal data. This basic knowledge — standard elements in a vendor risk management program — could very well be the key to mitigating future troubles if adapted for a digital-first economy.
The Legal Landscape
Thanks to more than 1,500 data breaches in 2017 alone that exposed more than 9 billion personal records and ongoing high-profile consumer data misuse, data privacy issues dominate today’s news headlines. Not just a flash in the pan, data privacy issues present critical, long-term challenges that affect both U.S. citizens and the U.S. economy.
The U.S. government has taken notice. Federal and state governments are instituting new data privacy laws that will include significant penalties against companies. California was the first state to enact a security breach notification law.[1] Following suit, the Illinois state legislature also passed a groundbreaking data privacy bill requiring internet companies and entities to clearly communicate to consumers about the collection of geolocation data, purpose of the data and with whom it is shared (e.g., business partners). Massachusetts state law mandates the technical, physical and administrative security protocols required to protect personal information, as well as a full-scale security program. Thus far, 48 states in all have enacted privacy laws requiring notification of security breaches involving personal information.[2]Echoing global initiatives, especially the EU’s GDPR, the trend to more closely govern personal data will continue.
The Digital Malaise
Despite new legislation and rising public sentiment, companies are not doing enough to secure data privacy according to PwC’s 2018 Global State of Information Security Survey (GSISS).[3] The report reveals that only 51 percent of respondents have an accurate inventory of what employee and customer personal data is collected, transmitted and stored, and only 53 percent require employees to complete training on privacy policy and practices. Clearly, enterprises are not aligning with government directives.
While efforts are being made to identify personal data sources across the enterprise, very few address the digital environment – specifically their own websites and mobile apps designed for public consumption. Many companies look to their IT departments to ensure that their website is operational, but many departments such as marketing, product, legal and more contribute to this digital environment. As a result, no one individual or department directly manages the entire corporate digital footprint. Making matters worse, the internet’s highly complex and dynamic environment means a host of third parties operating outside the IT infrastructure are relied upon to render final, consumer-facing content such as product research, price comparisons, recommended content, product reviews, social media feeds and more.
