Percona Restructures Their Third-Party Risk Management Program with OneTrust Vendorpedia™Download PDF
Percona Restructures Their Third-Party Risk Management Program with OneTrust Vendorpedia™
Percona is a leader in providing best-of-breed enterprise-grade support, consulting, managed services, training, and software for MySQL®, MariaDB®, MongoDB®, PostgreSQL and other open source databases in on-premises and cloud environments. An unbiased, trusted partner, Percona provides single-source expertise in multivendor environments that eliminates lock-in, increases agility and enables business growth. Percona’s globally available support and consulting experts work with over 3,000 clients in more than 50 countries worldwide, including many of the world’s largest enterprises.
In 2018, third-party security and privacy risk management became a key corporate initiative for Percona and it still is today given the shifting regulatory environment. As we continue to pursue enterprise customers, we recognize the need for a flexible and automated platform to help us manage compliance operations and support security audits. That’s where OneTrust comes in.
In supporting a global customer base across sectors and regulatory frameworks, Percona is responsible for supporting production scope data for its customers, including personal data and sensitive information like medical and financial records. Because of this, it’s important that Percona implements proper third-party, security, and privacy controls internally, as well as holds third parties and their affiliate networks to the same standards.
Revamping Operations to Support Global Third-Party Compliance
When the EU General Data Protection Regulation (GDPR) was being finalized, Percona recognized gaps across their third-party security and privacy program, specifically as it relates to Article 32 and subprocessor requirements. “One of the driving forces behind the revamping of our third-party risk management program was GDPR subprocessor requirements,” said Futas. “We needed to implement changes with our vendor management that would comply with the GDPR and align with ISO standards.”
Addressing these gaps was a daunting task, so Percona sought out a consulting firm to support the restructuring of their existing program. The consulting firm helped produce policies and procedures that closed the gap, but Percona still wanted automated processes to help alleviate the burden of risk management. Policies and procedures are a great start, but Percona determined automating parts of its security and privacy program would align best with customer expectations.
To execute its vision of a revamped third-party risk management process, Percona tapped OneTrust to streamline and automate GDPR requirements, including creating a record of processing activities and data mapping for Article 30 and 32 requirements. Shortly after partnering with OneTrust for PIA/DPIA Automation, Data Mapping Automation, and Data Subject Rights Management, Percona sought out additional OneTrust modules, including Incident and Breach Management and VendorpediaTM third-party risk management software.
The Percona compliance team initially faced difficulties when researching third-parties, completing SIG and SIG Lite assessments on time, and determining when new risks emerge. The third-party risk management process was monotonous and Percona had limited resources, especially with increased use of cloud service providers. This changed significantly when Percona implemented OneTrust Vendorpedia.
Our initial vendor questionnaire process was via excel and was not an efficient use of my team’s efforts. Since implementing Vendorpedia, we have a single repository for our vendor data and can automate the entire third-party risk management process, from flagging and mitigating risks, accessing pre-populated research, attaching contracts and supporting documents to our vendors, and automating questionnaire completion.
Today, Percona has developed a robust third-party risk management program that can not only help the company demonstrate compliance, but also analyze, measure and report on vendor risks at scale. Combined, this helps the business power its mission to provide best-of-breed, enterprise-grade support, consulting, managed services, training, and software.
Building on Third-Party Risk Management Beyond the GDPR
Percona’s next hurdle is pursuing the ISO 27001 certification while also implementing new controls necessary to comply with additional regulations like the CCPA, HIPAA and more.
As the company continues to account for new regulations, they’ve started integrating their existing technology platforms within OneTrust to continue expanding on their compliance. To date, Percona has integrated its marketing, CRM, and customer portals with OneTrust.
I can safely say that OneTrust has been a gamechanger for our business. We look forward to a continued partnership and seeing how the OneTrust Vendorpedia product evolves to meet even more needs in the third-party risk management and compliance space.