Data-privacy laws like the General Data Protection Regulation (GDPR) not only require your business to be compliant; they also require your company to ensure that the suppliers and partners who manage your data are compliant as well.
Technology vendors, like Ventiv, are classed as data processors when they hold or have access to your data. It is this classification that means they are subject to data protection rules, just as organizations that collect data are.
When your customers choose to buy from you, they are putting their trust in you and your suppliers to keep their information safe. When you consider the consequences your business could face if one of your partners breaches data protection legislation, it’s crucial that you ensure your partners are compliant.
You should ask your suppliers the same questions you ask within your business
If you’re not quite sure what you need to be doing to make sure your technology partner is GDPR-compliant, you should approach it in a similar way to how you have within your own organization. Good companies should be able to answer your questions.
Great suppliers, however, should be able to go an extra step and have a proactive approach to supporting their customers’ data governance and compliance with data-privacy laws.
So, here are 5 things that your software vendors should be doing for you:
1. Investing in their software capabilities
If your software partners are continually improving their technology, it shows their commitment to you. This investment should also address data-privacy legislation (which is an increasingly global concern, as I discussed in a previous blog post). Things you should ask include:
- How the software architecture meets the privacy by design/default standards. This means having processes integrated into the system to anticipate, manage and prevent data-protection issues before someone’s information is even input into the system. The user of the system can be assured that the minimum settings will use personal data in a way that is compliant with GDPR and other legal requirements.
- What controls are in place to support regulatory compliance requirements. Examples include having default settings set to ‘opt out’ for marketing contact, or default data-retention limits. There should also be controls in place that manage permissions about sharing data.
- How the system enables customers to truly manage and govern the data that it holds. That includes encryption of data when stored in or transferred from the system, flagging personal data, anonymization of personal data, and handling data of those who have requested not to be contacted.
2. Demonstrating that they are compliant within the legal jurisdictions that they operate
Your supplier should be able to show evidence that they meet the GDPR rules, and other legislation, in respect of managing your and your customers’ data. This applies to all relevant territories. Have a read of our article about the case for cross-region GDPR-level data governance. Evidence of this should include:
- Proof of organizational, technical, and security controls in place
- Documented policies and procedures around securing, handling, and managing data
- Recordkeeping demonstrating a history of compliance, with internal controls and procedures
3. Have a strong security and privacy program in place
Even with the best of intentions, a data breach can happen. It is when an unfortunate event like this occurs that you will see how well your supplier really performs. Your software provider should have:
- A defined Incident and Breach Response Program that allows them to effectively manage and respond to incidents
- A defined Information Security and Privacy Policy
- A robust training program for employees on information security and privacy
4. Have externally accredited third-party audits
One way to ensure your supplier is meeting industry standards is for them to be accredited to the standards set by an internationally recognized body. Good examples of accreditations are ISO27001:2013, ISO27018 and SSAE18 SOC 1 or 2.
5. Be covered by cyber security insurance
Insurance is an added peace of mind that your software supplier is taking information security seriously. Insurance is a safety net in case something goes wrong. Insurance companies also usually have a set criteria for organizations to meet before they will insure them.
For risk and claims management, having the level of data governance described above is critical for the effective management of customers’ personally identifiable information.
At Ventiv we can easily demonstrate our GDPR processes, which certainly is appreciated by our clients. As part of our investment in our technology risk management platform, we have introduced the Data Governance module.
This add-on to your RiskConsole & RiskConsole Advance system is the ideal way to manage your data protection obligations under GDPR (as well as other legal jurisdictions). If you are serious about looking after your customers’ data, you should consider a RMIS software solution like this.
Scott Wilson is Chief Information Security Officer & Privacy Officer for Ventiv Technology. Contact Scott at scott.wilson@ventivtech.com. Connect with Scott at LinkedIn.
