Do You Have a Data Risk from Suppliers and Partners?

Data Risk

The FaceBook/Cambridge Analytica debacle has shown how suppliers and partners can so easily create a customer data risk. Not only has it affected Facebook’s business, it’s even damaged Mark Zuckerberg’s personal credibility.

This has highlighted the need for organisations to urgently review their partner and supplier data practices.

Minimising Your Data Risk And Your Exposure

In a nutshell, how can you:

  • – mitigate the security risks within your wider ecosystem?
  • – ensure the safety and security of sensitive data that you share?
  • – give customers confidence that your processes protect their data; wherever located?

Of course, it’s a given that you need the best integrated security technology, but it’s not just about the ‘tech.’ You also need to exercise due diligence by……

Asking The Right Questions About Data Risk

Asking the right questions of yourself and also of your business partners will help protect yourself and your customers. In relation to individuals’ data, the EU GDPR requires you to satisfy yourself that all suppliers are compliant.

A reinforcing thought. What would have been the fallout for FB, if it had been upfront and taken sensible steps to ask the right questions of Alexsandr Kogan? Then take action on the answers.
(saying that, maybe it did?)

So, here’s some typical questions you might want to consider asking a data processing and management supplier/partner:

Q1. Am I and my team happy that this potential supplier will not create a data risk?

  • – What are their references?
  • – Do they have any form of ISO/BS/Security/Data Management accreditation?

Q2. What data are we passing to them that’s sensitive? Is it:

  • – individuals’ data?
  • – classified data?
  • – company confidential?

Q3. What data is not sensitive?

  • – How do you determine this?

Q4. How does my supplier ensure this data is managed correctly?

  • – What is their data management, recovery and breach notification process(es)?
  • – Do they perform data management training?
  • – Interview and test key personnel (especially for highly sensitive and confidential data)?
  • – How is the data stored who has access?

Q5. What technology are they using to:

  • – protect stored data?
  • – protect data in transit?
  • – minimise security breaches?
  • – identify security breaches?

You Know Your Business

Every organisation is different and you’re the experts on your business and relationships. You know the questions to ask about data risk because you’re done all this internally. And, you know the answers that are required.

It’s never been so important to ensure that you have done your due diligence in also verifying all your external data links.

Don’t forget, you may well be a supplier to other organisations. They are very likely to be asking the same of you.
(BTW: If they don’t……..you might want to tread warily)

N.B. Finally, with the forthcoming EU GDPR, as a ‘Data Controller’ you have a legal responsibility for the performance of your ‘Data Processors’ (i.e. suppliers/partners).

In Summary

You’ve embraced ISO/BS standards and are hopefully GDPR ready – internally.

If the supplier/partner question had not already been considered, I hope this article is sufficiently thought-provoking to ask your suppliers for their data handling credentials.

—————————————————————————-

About The Author: Andi Robinson (E: andi.robinson@egosecure.co.uk)

A veteran of the IT Sector. 33 years in the industry (marketing, sales, management), 18 years in IT Security – of which, 8 years international consulting. Currently CSO for EGOSecure UK.