A new level of transparency in personal data flows

How to deploy a missing layer in the management of third-party vendors

(You are reading a GenAI-free article, solely relying on auto-correct for some expressions and typos. The image above is AI-free as well, retrieved from Canva’s photo repository.)

We recently had an internal discussion about the value of transparency in the management of data processors or third-party SaaS vendors. It occurred to us that consumer-facing, “chain of custody” transparency was never coupled with privacy and security posturing in the B2B arena. And that such transparency could very well connect with individual empowerment tools.

Expanding on it:

There is a well-established world of GRC (Governance, Risk, Compliance) accreditations. These allow corporate buyers to trust new vendors by relying on third-party auditors and a set of standards or reputable framework. Although privacy accreditations never really took off, security posturing is commonplace (SOC2, ISO 27001).

Then there is a reputational angle that B2C companies tend to cover through daily practices and unpredictable events. The first refers to transparency and consumer rights. The second is mostly related to data breaches (invariably negative occurrences).

It is however not that clear how deficient or insufficient practices of some data processors -or service providers- affect their corporate clients in the public eye. Since a company’s marketing technology or data stack has become quite transparent through the use of supporting pixels and browser-level signals, we see no reason to limit a certain degree of visibility to the bilateral controller-processor relationship.

Mixing up very different audiences - tread carefully

Transparency is about comprehensible information, and this will not, by definition, be the same in all contexts. We have for quite some time had a wide range of tools empowering Data Protection Officers and other privacy professionals with an x-ray breakdown of hidden server calls, tag container requests, and other means of exposing hidden IT suppliers within their company’s digital properties. These have sometimes been enriched with pixel translation files, cookie databases, and other external sources allowing us to map specific requests to their associated technologies, or the location of their servers.

There was only so much that could be retrieved as part of such process, but it was sufficient to empower subject matter experts to then complete the picture with an in-depth analysis of underlying contractual frameworks (e.g., a Data Processing Agreement, or Standard Contract Clauses for the transfer of international data), or even subsequent questionnaires and requests in which newly discovered vendors could disclose their privacy and security safeguards. These findings cannot however be interpreted by a non-discerning audience.

Communicating hidden risks to end users, and rewarding companies that protect their data more effectively, requires an upfront analysis of the technology at play (and the categories it belongs to) or its available documentation, ensuring that only final conclusions are presented to the recipient. This requires the manual intervention of certified professionals. On top of that, the resulting information must be presented in very clear and digestible terms, and also through metrics that can be easily compounded across the entire portfolio of vendors embedded in a particular company’s stack. This needs to avoid the trap of oversimplification.

How to marry scale and trust

It is no coincidence that we have not yet found such alignment of the stars. Whatever can be compiled and scaled as a mere engineering challenge has already been done. And manual, ad hoc efforts undertaken by trusted, accredited professionals (lawyers, privacy engineers, certified auditors, etc.) already underpin their own business models. In other words, the two pillars that would make such a system truly valuable have already gone separate ways: a product that scales well but is too shallow to make a real difference; a service that delves much deeper (if only limited to the B2B relationship) but is endlessly duplicated across markets and jurisdictions.

But the lines between products and services have definitely blurred. It has become much easier to structure and launch software tools, and it is in a team’s underlying credentials that value will often rest, provided that we can put together a strong enough process to avoid redundancies and benefit from “marketplace” dynamics.

It is towards this intersection that we are directing our efforts. More to follow.