Data Processing Ecosystem Risk Management

00:00

Welcome to Lesson 2.4 Identiod Data Processing Ecosystem Risk Management.

00:06

Mhm.

00:08

In this video we will cover the identify category number four. Data processing ecosystem risk management. We'll look at the five subcategories of data processing ecosystem risk management. And then we're also going to look at how data processing ecosystem risk management differs from the risk assessment in the previous uh lesson.

00:29

So here we are in data processing ecosystem risk management, I D D E. P.

00:36

The organization's priorities, constraints, risk tolerance and assumptions are established and used to support risk decisions associated with managing privacy risk and third parties within the data processing ecosystem.

00:50

So as you can see here, we have five subcategories and this is really focusing on third party risk management when it comes to privacy risk. So this is where you want to ensure that you have policies, processes and procedures in place that help you manage this third party risk

01:07

as well as identifying and prioritizing uh the other parties in your data processing ecosystem

01:15

um Using a privacy risk assessment process. So these can include service providers, customers, partners, manufacturers, developers, um and those are just to name a few.

01:27

But then when we move into P3, this is also when you want to look at contracts that you may have in place with your third parties that deal with data processing to make sure measures that are mentioned in those contracts are actually being implemented and followed

01:42

um as well as in uh before you want to look at the interoperability of frameworks or similar multiparty approaches that are used to manage data processing ecosystem privacy risks. Sometimes some security frameworks do have privacy sections within those frameworks.

02:00

And so you want to look at how those may work um in correlation to whatever in this uh whether you adopt in this privacy framework or some other framework, but you want to be mindful of those as well. And then finally in P5, this is focusing on making sure that with those third parties, your routinely doing audits or looking at test results or using other forms of evaluation

02:23

to confirm that your third parties are really meeting those contractual or interoperability frameworks or other obligations that may be in place for you.

02:35

So really what I wanted to make sure in the previous lesson, we went through the identified function of risk assessment and this one work. It seems like we're also looking at risk assessment but I really want to focus on that. I. D. R. A. Was focused on looking at the risk to the individual as well as the impact of the organization.

02:54

Should there be a problematic data action that occurs whereas in this particular

03:02

category, under the identified function, what we're focused on is really looking at managing the privacy risks with the other third parties um in your data processing ecosystem. So really keeping those separate as two separate types of risk assessments that need to happen.

03:22

Um It doesn't mean you wouldn't necessarily keep them on the same risk register. You very well could but you want to make sure that you're looking at risks from these two different standpoints. Um Looking at the risk to the individual

03:35

should something happen to the personal data and how that will impact your organization? And then, like Ceta also doing a risk assessment of your partners that are within that data processing ecosystem to make sure that they're following the contractual obligations that maybe maybe in place

03:52

as well as framework interoperability or even other obligations

03:55

um that they may have to adhere to, which could be G. D. P. R. Or C. C. P. A. Since their processing data on your behalf they would have to adhere to those regulations. So just want to make sure that we're understanding the difference of these two categories within the identify function.

04:15

So pop quiz time,

04:16

data processing ecosystem risk management is focused on risk assessing the following one risk to individuals,

04:25

Two risks to the enterprise or three managing privacy risks than 3rd parties.

04:33

So the answer here is number three managing privacy risks and third parties. Because remember we went through this when I was discussing that I. D. R. A. Dash P which is the identify function risk assessment category is really focusing on the privacy risk

04:50

to the individual and how that impacts the organization

04:55

and that data processing ecosystem risk management is really focused on managing the privacy risks and third parties.

05:03

So in this video we covered the components of the data processing ecosystem risk managements of categories. And then we also looked at the risk assessment focus difference between i. D. R. A, which is the risk assessment category under identify and the data processing ecosystem risk management category under the identify function.