One of the points that has most driven the maturity process in companies regarding the applicability of the LGPD (Brazilian General Data Protection Law) in the last year is the management of third-party risks.
There are many companies in Brazil that face tremendous difficulties, both in passing due diligence and obtaining approval, and in creating their own methodology for evaluating third parties with more critical operations.
The bar is raised because, in evaluation questionnaires, while acceptable levels of information security and privacy measures are required from suppliers, proof is also demanded that the same safeguards and controls are applied to third parties with whom that evaluated supplier interacts.
This makes perfect sense, considering the chain of responsibilities that is created through these relationships; on the other hand, not all companies have the resources, technology, and teams capable of responding to these increasingly constant demands.
The multi-million dollar incident involving C&M Software brought the issue even more into focus. Looking at this incident, it's impossible not to consider the vulnerability that can be created by the simple actions and decisions of a third-party employee, leading to risks of all kinds: financial, reputational, and in some cases, even jeopardizing the continuity of companies.
But what steps, the minimum that a company could create in terms of internal organization, to have some control over these situations?
1. Registration and classification of third parties
It seems obvious, but it needs to be said. Suppliers need to integrate a centralized database with all the necessary data and a basic classification of criticality based on access to critical data or systems; strategic relevance or recurrence of services; and financial, reputational, and regulatory risks.
2. Evaluation
Application of compliance questionnaires, which can be inspired by frameworks such as ISO27001 for security assessment and the LGPD's own requirements for privacy, while also evaluating the partner's financial health.
3. Contracts & Clauses
They must require compliance with the LGPD (Brazilian General Data Protection Law), guarantee confidentiality, establish responsibilities, penalties for non-compliance, and, most importantly, be validated by the areas involved in the contracting process. This point, which has been neglected, can be the big difference between hiring (or not hiring) a supplier who does not commit to the promises of the negotiation and avoiding a lot of future headaches.
4. Reassessment at each renewal or amendment cycle.
If the company has committed to implementing any adaptation or improvement plan, the issue cannot be forgotten; the company needs to demonstrate interest in improving its processes and maturity with each cycle. Revalidation is recommended within a maximum of 12 months.
5. Proper closure
Another overlooked point is that, at the end of these contracts, the revocation of access, the return of documents and equipment, and the deletion of data that can no longer be used are rarely properly addressed, leaving dozens of vulnerable doors open for exploitation.
With limited investments, lean teams, and numerous operational tasks to handle daily, more and more companies are opting to hire specialized consulting firms and solution integrators to manage these tasks professionally and efficiently.
Privacy Tools acts as an efficient "engine" for various contracts of this nature, providing the technology to run registrations, tiering and evaluation questionnaires, risk action plans, and much more, with the entire operation centralized on a platform whose usability is very simplified.
Contact us by clicking here. Learn more about how we can support your company in overcoming this challenge, together with our specialized partners.
