Cultivating Compliance: How Public Sector Agencies Weed Out Third-party Risks

Third-party providers are essential to public sector service delivery but are also where regulators often see privacy issues arise. Contracts without meaningful privacy protections, risk assessments that never get revisited, and oversight that stops at onboarding, are recurring themes in complaints, breach notifications and investigations. In this session, representatives from state and commonwealth privacy regulators share their perspectives on vendor-related privacy risk, with a focus on issues arising in public agencies. They will discuss common gaps that lead to regulatory trouble, what satisfies regulator’s expectations versus what falls short, and where their compliance and enforcement focus is heading.

What you will learn:

• Vendor management failures that most frequently surface in complaints and investigations.

• What regulators look for when assessing whether an agency met its privacy obligations.

• How to embed privacy requirements into procurement, use risk assessment, and review compliance in a way that helps avoid problems.