Organizations increasingly recognize the importance of embedding ‘privacy by design’ into their Third-Party Risk Management (TPRM) strategies – but most are yet to take action. We look at how to embed privacy by design at scale across the organization, and how such an approach informs TPRM, enforces compliance, and mitigates risks associated with generative AI. 

Leading financial institutions rely on their privacy teams to execute privacy impact assessments prior to authorizing third-parties to access and process personal information. However, the majority of US financial institutions still lack the ability to proactively manage their third-party induced privacy risks throughout the entire relationship lifecycle—from initial risk and impact assessments to vendor off-boarding and data retrieval. 

A survey conducted at the recent Capco-One Trust Reinventing Third-Party Risk Management: Privacy by Design seminar revealed that only 25% of attendees have adopted continuous monitoring of their service providers as part of an integrated privacy by design framework. This leaves three-quarters of organizations lagging behind, with 38% acknowledging significant room for improvement. 

Successful monitoring and management of third-party risks depends on the buy-in and participation of multiple stakeholders and business owners. As well as privacy and data protection, compliance, information security, procurement, HR, and marketing all have roles to play when embedding privacy and managing risks across the data lifecycle and external partnerships. 

Unfortunately, much of the data required for an integrated approach remains isolated in separate parts of the organization. Fragmentation leads to organizational silos and communication breakdowns, where departments operate as ‘black boxes’ – each unaware of how other business units process and share data with third-parties. These silos are often the root cause of operational inefficiencies, financial losses, and compliance failures.  

Other risks include unknowingly onboarding multiple vendors with overlapping functionalities so that businesses end up paying many times for identical services, draining resources and increasing data sprawl.  

Similarly, teams often seek new vendors for specific use cases without checking whether existing vendors could fulfill the new needs. Without access to TPRM system intelligence, organizations often miss opportunities to expand current relationships, which can shorten the procurement process and curtail adding more vendor risk.  

Other drivers include the rapid evolution of data protection initiatives. In recent years, general data protection and financial sector regulators have actively published guidelines for management of data sharing and third-party risks.   

• Recent guidelines issued by the European Data Protection Board¹ in relation to GDPR put additional emphasis not just on third parties, fourth or even fifth party ‘sub-processors’.  
  
• In 2023, the EU enacted the Digital Operational Resilience Act (DORA)², which imposed significant cybersecurity and resilience obligations on financial institutions AND their critical suppliers.
  
• In the US, Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (FRB), and the Office of the Comptroller of the Currency (OCC) published Interagency Guidance on Third-Party Relationships: Risk Management (2023)³, that details how banks should manage the third-party risks that may negatively impact banking operations and could result in harms to customers.

Consider the use of something as simple as an email marketing service. If the service provider hosts its servers in the cloud, the cloud platform becomes a sub-processor, which hopefully, the email marketing service is monitoring. As supply chain relationships multiply, ‘privacy by design’ is not just desirable, it is the foundation of a resilient data ecosystem that can track sprawling processor and sub-processor networks. 

Technical innovation adds to the complexity. What if your email marketing partner uses generative AI to draft content for a new campaign? What large language model does it use? Will your customers’ data be used for model training? By thoroughly vetting AI-driven tools and their providers, businesses can safeguard personal data while leveraging the business potential of AI responsibly.

The interplay of these factors creates a volatile and unpredictable environment for privacy and data protection. To navigate this turbulence, organizations must adopt agile, proactive strategies that include robust governance, privacy by design, and scalable third-party risk management frameworks.

• Establish clear accountability: Designate specific individuals or teams responsible for vendor oversight and TPRM workflows across the partnership lifecycle.
  
• Enable strategic leadership: Empower leaders from multiple departments, such as IT, procurement, and compliance, to champion privacy initiatives collaboratively.
  
• Adopt dynamic risk assessments: Regularly re-evaluate risks to account for changes in vendor services, technology, or regulatory requirements.
  
• Reduce vendor redundancy: Audit for overlapping vendors to eliminate duplications, maximize resource use, and streamline operations.
  
• Foster interdepartmental collaboration: Promote regular communication between teams to identify synergies and leverage approved vendors for new use cases.
  
• Vet AI-driven tools thoroughly: Assess the data practices of AI-enabled vendors to ensure compliance and safeguard sensitive information.
  
• Choose the right privacy by design platform: Opt for a solution that integrates privacy, security, and vendor management, with features like automated risk assessments, regulatory tracking, and strong third-party monitoring capabilities.
  
• Implement robust internal policies and governance processes: Establish the framework, policies, and accountability needed to ensure privacy and risk management practices are consistent, effective, and aligned with regulatory requirements.

Above all, a proactive strategy enables organizations to move beyond compliance. It reduces risk, optimizes costs, and creates opportunities for operational excellence. The outcome is a more resilient, agile organization ready to adapt to the rapidly changing privacy and security landscape.  

 ¹ https://www.edpb.europa.eu/news/news/2024/edpb-adopts-opinion-processors-guidelines-legitimate-interest-statement-draft_en
 ² https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en
 ³ https://www.govinfo.gov/content/pkg/FR-2023-06-09/pdf/2023-12340.pdf