Third Party Data Management Policy Template| Data Governance Framework

As a valuable asset, data requires proper governance that combines protection rules with classification methods while upholding the necessary regulatory framework (federal, state, and EU based regulations, if relevant). Federal and state laws and EU standards force us to secure information according to classification levels along with protecting the privacy rights of customer groups and workforce and affiliation network assets. Our organization can generate better decisions and deliver outstanding customer services when customers receive well-managed and accurate data stored securely. 

Obligations of Third Parties

Every third party involved in handling or storing or processing sensitive data is required to fulfill these principles. Third parties will:

1. The third parties must maintain full compliance with all applicable regulations to handle the sensitive data our organization shares or on which our organization acts as steward

2. Third parties must keep processing and storing data only to extents required by the purposes listed in regulatory requirements.

3. The processing of data must follow our organization's instructions so that no independent decision can be made regarding sensitive data use for any purpose beyond those specified in applicable regulations. 

4. All personal sensitive data processed by third-parties for our organization continues to belong to our organizations as well as the relevant individual persons.

5. A record system should exist to document processing activities according to the prevailing regulations

6. The processing of sensitive information takes place only when our organization gives documented instructions for data transfers to foreign nations or global organizations.

7. The authorized individuals who access sensitive data inside the organization need to either take an explicit confidentiality pledge or be bound by relevant regulatory confidentiality rules.

8. Will maintain adequate physical, technical, and administrative security measures to safeguard and ensure the protection and security of all sensitive data transferred and disclosed to it by our organization from loss, misuse, unauthorized access, alteration, accidental or unlawful destruction, and unauthorized disclosure. Such measures and safeguards may include but are not limited to the following:

• Developing organizational policies for handling sensitive data
• Protecting systems from cyber attacks
• Setting up firewalls
• Storing sensitive data securely with access only to specific authorized individuals strictly on a need-to-know or need-to-access basis
• Implementing strong data encryption technologies
• Ensuring that Personal Data cannot be read, copied, modified, or deleted without the prior written consent of the Data Controller
• Implementing a formal data mapping system

9. Ensure that anyone who has access to the sensitive disclosed by our organization is subject to a duty of confidentiality by putting in place a confidentiality agreement or acceptable use policies. The undertaking to confidentiality will continue after the termination of the third-party agreement.

10. Will not disclose the sensitive data unless:

• the prior written consent of our organization has been obtained
• the disclosure is required by law
• the relevant information is already in the public domain.

11. Report any suspected, actual, threatened, or potential data breaches immediately to our organization within 12 hours of its occurrence and with sufficient information to allow our organization to meet any required obligation to report to the regulators or inform the individuals about the breach.

12. Assist our organization and take reasonable and diligent steps as directed by our organization, in the investigation and take steps to manage, mitigate, and remediate the data breach.

13. Will immediately delete all sensitive data at the end of the data processing activities (e.g. termination of the third-party agreement) or at the written request of our organization within 30 days

14. Return all sensitive in its possession to our controller by secure file transfer or other means communicated by our organization based on our organization’s request

15. The organization requires written consent before one can transfer and disclose sensitive data that operates within our business areas. 

16. You are responsible for adequate protection of sensitive data when it moves to international jurisdictions per written organizational consent.

17. Our organization must grant permission for audits that verify the compliance standards between processing operations and related policy requirements and applicable regulations

18. Allow our organization to use necessary support along with information during audits to confirm technical and organizational measure implementation. 

19. Report to our organization whenever you cannot share information under regulatory disclosure obligations

20. The organization implements annual data protection evaluations and compliance inspections according to current legislation. 

21. Our organization must provide written approval before any sensitive data transfers to third-party sub-processors become necessary. The data processing commitments maintain their force throughout all stages of the relational agreement including after both parties terminate their processing agreement.

22. The data protection agreement should allow the sub-processor to carry forward the exact commitments made to Processor under this Agreement when a third party authorizes the sub-processor engagement (where the third party engages a sub-processor based on the authorization of our organization)

Technology Enablement

Third-Party Risk Management (TPRM) Platforms

The Key Capabilities:

• The platform checks vendor financial stability alongside security measurements through more than fifty risk factors.
  
  
• The system contains a centralized storage solution for both BAAs and DPAs and audit reports.
  
  
• The Prevalent platform creates automated remediation plans through its platform whenever vendor security scores reach specified threshold levels.

Privacy-Enhancing Technologies (PETs)

• Through Homomorphic Encryption vendors can perform data activities without decrypting the information.
  
  
• The marketing analytics pipelines process sensitive fields through tokenization in order to replace the data with non-sensitive tokens.
  
  
• The implementation of blockchain audit functionalities produces an unalterable record system for tracking third-party data system interactions which Walmart uses within their supply chain framework (tested in their supply chains).

Organizational Roles & Responsibilities

• The Data Protection Officer ensures the implementation of DPAs while leading GDPR DPIAs regarding new vendor contracts.
  
  
• The Third-Party Manager functions as both an inventory keeper for vendors and an audit coordinator for the organization.
  
  
• IP security controls will be installed by the IT Security Team and they will monitor all vendor network access through their API security controls.
  
  
• Legal Counsel -Draft jurisdiction-specific clauses