Organizations today operate more often in a global environment. Although many organizations operate in the United States, they may also provide services or sell products to consumers and other business customers abroad. When personal information is collected for marketing purposes, to process payment, for purposes of employment, or to provide services, privacy laws often apply abroad, while organizations in healthcare, banking, education may be obligated to ensure third parties follow applicable laws in the United States.
New data protection laws like the General Data Protection Regulation (GDPR) require all parties, including third-party providers, to follow the European Union’s data protection laws when processing personal information of EU residents, even when that third-party operates in the United States. When contracting for third party services, information security and privacy personnel must consider the implications of data transfer and storage on their obligations to customers and employees. Third-parties will also benefit from understanding expected requirements from business customers.
Key learning points:
- Explain applicable international privacy laws and techniques for managing third parties
- Explain industry-specific privacy obligations with relation to third parties
- Review strategies for managing third-party risk in compliance with applicable laws
- Review contract terms and considerations that should be used when negotiating contracts
- Understand potential points of negotiation from the third party and customer perspectives.
About Charlotte Tschider
Charlotte Tschider is an affiliated professor with the Mitchell Hamline School of Law’s Cybersecurity and Privacy Law program and owner and principal of Cybersimple Security, which provides U.S. and international privacy and security consulting services. She is also a member of the International Association of Privacy Professionals (IAPP) training advisory board, reviewing international professional privacy educational books and training materials. Tschider has led information technology teams and served as a privacy liaison in various industries for 15 years, including mobile engineering, risk management and incident response. Tschider holds a J.D. from the Hamline University School of Law and an M.A. in rhetoric, scientific and technical communication from the University of Minnesota. Tschider holds industry certifications in IAPP’s CIPP for the United States and Europe (CIPP/US, CIPP/E) and ISC2’s CISSP.
