My previous post on this subject was to provide some awareness about GDPR (General Data Protection Regulations).
While understanding what personal information you store internally is a big enough headache, with so many of us using third parties to provide systems of all shapes and sizes, understanding how they handle your data is critical to your GDPR governance.
Asking them if they process any personal information that you’re responsible for is key. If they do, is the personal information either permanently or temporarily stored?
If it is then you really need to get more information from them which I have broken down into four categories:
- What processes and procedures do they have in place to secure your personal information?
- Are they operating an Information Security Management System (ISMS) and are they certified to standards such as ISO27001 or SAE16? Always ask to get a copy of the certificate and last audit report if possible!
- How are processes tested and evaluated for effectiveness? It is definitely worth digging deeper on this if they are not formally certified to ISO27001 or SAE16.
- What technical provisions are in place to defend against cyber-attacks?
- What facilities they have in place to restore data in the event of a technical incident?
- Where is the data stored and is the data encrypted when stored?
- Is the data stored within the EU?
- Who within the 3rd party has access to your data? It’s typical that some of the 3rd party staff will have access but is it limited to only those who need to have access.
- With so many cloud services used these days, does your 3rd party use any other services with your data. i.e. Backups, Business Intelligence, CRM, Marketing etc..?
- Obtain information on the communication plan if the 3rd party is cyber attacked, or worse, suffers a data loss.
Finally, the one area that I am sure many legal departments will be increasingly focussing on is the indemnity levels provided by suppliers in the event of data loss. I have always felt that the easier it is to negotiate a higher indemnity the more comfort I have in their controls, after all, most suppliers are not going to take unnecessary risk!
Whilst the areas covered are not exhaustive, responses from suppliers to the points should give you a good indication of the controls and security provided by your suppliers.
As part of your readiness for GDPR, ensuring suppliers who handle your personal information provide adequate assurances is key. Many companies - including Investis - have prepared GDPR Vendor Assessment documents to show exactly what preparations they have taken. Take a look at our vendor assessment document as a guide.
So whilst GDPR may seem a long way off, ensuring you get assurances during contract discussions from now on is critical and if mid contract, still ask the questions; most leading suppliers should be able to provide you adequate assurances.