Meet the expert: Puja Verma to speak at PrivSec Focus: Third-Party Risk

The one-day livestreaming event takes place on Tuesday April 26, bringing global audiences up to speed on the latest debate from the world of third-party risk management (TPRM).

An effective TPRM programme can reduce the likelihood of a cybersecurity incident, lower your exposure to legal liability and safeguard your brand’s reputation. But managing third-party risk is increasingly challenging.

Exclusively at PrivSec Focus: Third-Party Risk, industry thought-leaders and subject matter experts will be giving their views on how the world’s big brands are reaping the benefits of a systematic and automated approach to TPRM.

Industry-leading debate

Legal and Privacy Counsel at Philips, Puja Verma will feature on a panel of experts looking specifically at vendor monitoring and the essential role that transparency plays in the TPRM process.

Puja is responsible for all aspects of privacy compliance within Philips in the UK and Ireland. She especially loves creating a culture of privacy within the organisation through engaging training, building trust with stakeholders, and translating legal lingo into understandable concepts by incorporating legal design principles and analysing stakeholder engagement.

We spoke with Puja about transparency on the third-party vendor landscape and to learn more about her professional journey to date.

Could you outline your career pathway so far?

I am currently Legal and Privacy Counsel at Philips, which is probably more known for toothbrushes and kettles and air fryers, but they have a huge medical side of the business creating innovative technology to help diagnose and treat all manner of medical illnesses, so it’s very health-technology focused.

I worked in compliance for a long time leading up to this role, working for broadcasters, mostly in the entertainment business, such as Sky and A+E Networks – it was very entertainment focused then. Then I moved into the Advertising Standards Authority and built up some regulatory experience, and from there, into data protection. I’m a qualified solicitor as well.

I look at not only data protection, but also commercial law, and put that together in my role at Philips.

Where are we in terms of transparency being achieved by third party vendors?

One of the things that I’ll be talking about on the panel at PrivSec Focus: Third-Party Risk, is really to do with what transparency means, and why you need transparency when it comes to your vendors.

So, in my mind, there are two ways to look at it. One way is all about shifting liability – you do your due diligence once per year or once every two years. And then you wave that around to announce that you’ve got a compliant supplier, and that if they’ve done something wrong, you can go after them.

The flip side is that you actually want to actively monitor for a quality reason. So, you’re going to rely on whoever’s brought in the supplier to actively manage that relationship, and you’re relying on them to maintain a good relationship with the supplier.

To be honest, I think a lot of people are thinking of transparency in the terms of wanting to shift their liability, and having recourse if there is a problem. And I think that’s where it becomes quite dangerous, because you’re not actually actively monitoring your suppliers, you’re just hoping that you can sue somebody else if something goes wrong.

Why is continuous third party monitoring a crucial part of risk management?

The culture of compliance you have in your organisation is going to inform how you manage suppliers that are higher up and closer to you in the supply chain.

If you decide that you don’t really care about GDPR compliance or cybersecurity, then you’re going to take on low quality suppliers, because you’re driven by something else, which is either sales, or some kind of brand reputation that you’re trying to create for yourself. It’s very short sighted.

This also means that you’re not going to be monitoring your suppliers, and like you, they’re not going to have the right attitude.

Having a collaborative attitude towards third-party risk, and therefore a positive culture around legal compliance is critical to ensure you have transparency from your suppliers. The biggest issue is whether you have the ability to flow down your requirements.

Once a supplier is using their own suppliers (that become your sub processors) the further down the chain you and go the harder it is to monitor. And once a supplier uses a sub processor that is a big tech company, you can be pretty sure there will be no flow down of any requirements you have except for the bog standard “we will comply with the law”, which is not prescriptive on what is needed.

What are the key challenges that need to be overcome for improvements in transparency?

I think the biggest problem is going to be moving away from a mindset of, “Here’s a form, please complete it. Well done. We’ll see you next year.”

I think the hardest thing is going to be actually influencing the people in your business who have bought in the supplier to build a really good relationship with them, so that you can subtly observe their practices.

You can have anything in a contract that says, “We can audit you, we can do this, we can do that.” But, the reality is, are you going to enforce that? And is it reasonable to enforce it, because anybody can get their house in order just before you’re about to arrive, or just before there’s an investigation. Actually, what you want is a full dialogue about their challenges, and for someone to own that process and to be able to provide support if something does indeed go wrong.