1. Conduct Privacy and Data Protection Risk Assessments that Cover Third Parties
Conducting a comprehensive privacy and data protection risk assessment can help an organization mitigate its risk exposure. Risk assessments should cover third-party access to its data, systems, and facilities. The assessments help an organization identify threats and vulnerabilities, and take steps to mitigate them. The Federal Trade Commission first imposed this requirement on financial institutions pursuant to the Gramm-Leach-Bliley Act2, and it has expanded to cover other entities.3 Often, parties can leverage existing assessments conducted by trusted third parties. The documentation associated with a draft and final contract should record an organization’s key understandings of data access, and the organization should have a process in place to revisit the sufficiency of controls before allowing the vendor more extensive access.