Facebook and GDPR Show the Importance of Third Party Privacy Monitoring

May 2, 2018
1294 Views

Written by Anne Kimbol, Assistant General Counsel – Chief Privacy Officer at HITRUST

The Facebook-Cambridge Analytica issue became public at the same time businesses were working towards the May 25th deadline for compliance with the European Union’s General Data Protection Regulation (GDPR). Timing is not the only commonality here; they both tell a vital story about privacy best practices and third parties.

The GDPR states that the party responsible for the data retains responsibility no matter where the data goes; this is consistent with privacy laws and frameworks worldwide. Likewise, Congress pushed Mark Zuckerberg, Facebook CEO, on third party use of data, asking who gets data from Facebook and what limits there are on how they can use it. It appears that Facebook has been giving information to researchers and app developers with some privacy language in the contract but no auditing or follow-up. The end result of that privacy posture should not be a surprise.

Privacy officers can use these headlines to remind the C-suite that privacy is important and requires proper resources not just for internal implementation and monitoring but also a similar focus on third parties (nothing like a possible 20 million euro fine or a hearing about a CEO’s net worth dropping $9 billion in a 48-hour period to get people’s attention). While auditing the privacy practices of all third parties receiving data can seem like an overwhelming project for most businesses, HITRUST can help.

While the CSF is best known in the security world, it includes privacy best practices and risk management and GDPR requirements. Companies who require HITRUST privacy and security certification prior to and during the life of any contract allowing the sharing of data with outside entities have an efficient and effective method of monitoring joint data controllers or data processors and the privacy of their data. Leveraging the CSF allows companies to admit that they do not have the resources to do third-party monitoring on their own while still ensuring it gets done. As Facebook has learned the hard way, failure to do this monitoring may lead to some very unpleasant conversations with the Federal Trade Commission, EU Data Protection Authorities, business partners, stockholders, consumers, and possibly a panel of Congressmen or Senators.

To find the latest version of the CSF, which includes GDPR, please go here. For more on HITRUST and third-party risk assessment, go here.

Share this with your friends...Share on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

You may be interested

“Using Work of Others” Initiative from HITRUST Streamlines IT Security Control Assessments to Promote a Culture of Risk Management Collaboration
Compliance & Risk Management
shares424 views
Compliance & Risk Management
shares424 views

“Using Work of Others” Initiative from HITRUST Streamlines IT Security Control Assessments to Promote a Culture of Risk Management Collaboration

Lacy Deatrich - Sep 11, 2019

By Jeremy Huval, Vice President, Compliance & Internal Audit Completing HITRUST CSF Assessments will now require less time and fewer…

HITRUST® Submits Application to be an Accountability Agent for APEC Certification
Privacy
shares389 views
Privacy
shares389 views

HITRUST® Submits Application to be an Accountability Agent for APEC Certification

Lacy Deatrich - Aug 14, 2019

By Anne Kimbol, Chief Privacy Officer, HITRUST HITRUST has submitted its application to be recognized as an Accountability Agent under…

HITRUST Shared Responsibility Program Helps Organizations and Cloud Service Providers Collaborate to Protect Data in the Cloud
Compliance & Risk Management
shares210 views
Compliance & Risk Management
shares210 views

HITRUST Shared Responsibility Program Helps Organizations and Cloud Service Providers Collaborate to Protect Data in the Cloud

Lacy Deatrich - Jul 08, 2019

By Becky Swain, Director, Standards Development Your cloud provider is certified to comply with all the major regulations for protecting…