When small-to-medium enterprise (SME) team members begin to consider how the business landscape is changing to increased data privacy regulation, the procurement process is not usually high up on their list of answers.
When small-to-medium enterprise (SME) team members begin to consider how the business landscape is changing to increased data privacy regulation, the procurement process is not usually high up on their list of answers. However, SMEs focusing too purely on in-house practices miss a key point. Both the GDPR and CCPA place new responsibilities on data controllers. In other words, the company or another body determines the purpose and means of personal data processing. They need to ensure all third-party vendors who touch their data are behaving in a compliant manner.
In short, the controller continues to hold responsibilities for compliance, even when outsourcing processing duties. The in-house compliance will not suffice. It’s now incumbent on SMEs to ensure that the vendors they work with also adhere to worldwide privacy standards.
Furthermore, the auditing process should optimally take place upfront in the procurement stage. Contracts signed without the requisite due diligence can be difficult to back out of if it later. Especially if it becomes revealed a third-party vendor is operating in an incompliant fashion. Businesses with deep existing ties to third-party vendors may not be able to start this audit process from a procurement stage. Although, experts highly recommended that existing relationships be revisited and assessed from a compliance perspective.
With all that said, here are some of the questions that all SMEs should be asking their partners, whether it be during procurement due diligence or in the revisiting of an existing relationship:
Under GDPR, DPOs are now legally required for companies processing large amounts of data. It’s almost a certainty that vendors who specialize in data processing infrastructure are operating at a scale to necessitate a DPO. Failing to cover off on this necessary compliance measure should be a disqualifying red flag in any SME’s procurement process.
Data compliance is rapidly changing and continually evolving. A telltale sign that a vendor lacks data privacy rigor is a lack of process for regular policy updates. This field is the opposite of “set it and forget it.” SMEs should be on the lookout for this when auditing vendors for suitability.
If so, what measures have they taken to ensure those entities operate in a compliant fashion? The data privacy chain extends to every processor that runs underneath the data controller umbrella. It includes “partners of partners.” If a vendor has others to help them do their work, they should be able to demonstrate the partners’ compliance.
Under the auspices of GDPR and CCPA, data controllers now have a strict obligation to respond to data breaches concerning their data subjects, but if third-party vendors are slow to recognize and report a violation, controllers may have no chance of handling data breaches in a compliant fashion. Thus, reaction and response time is a crucial concern when evaluating a partner for suitability.
Without a clear-cut process for erasing subject data in a compliant fashion, it’s a possibility a data controller gets stung by vendor negligence, even after their business relationship has ceased to exist. For this reason, it’s essential to have data sunsetting processes built into third-party agreements upfront. Otherwise, controllers have no legal recourse if vendors mistreat their data after completion of the contract.
Published from our Privacy Magazine – To read more, visit privacy .dev
Ethyca’s CEO Cillian Kieran explains the significance of the team’s CIP certified patches.
Learn more about all of the updates on the Fides 2.20 release here.
Ethyca’s Principal Product Manager Rachel Silver takes you through the privacy intelligence dictionary Fides Compass, and shows how it makes data mapping, consent, and compliance faster and easier than ever.
Fides Compass provides deep intelligence about commonly used third-party vendors to automate data mapping and consent, getting you to a state of global privacy compliance quickly. Learn everything about what Fides Compass does, and how, in this blog post.
Our web developer, Suchi Natarajan, breaks down the Global Privacy Control (GPC) and how to comply with it.
Our VP of Sales, James Frey, breaks down how Ethyca’s privacy solutions bridge the silos between legal and engineering teams.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!Request a Demo