Privacy is an ever growing priority for managing the risk posture of an organisation. The increase in legislation and regulation globally is a good thing for data subjects, clarifying and enshrining their rights to ensure data is accurate, is destroyed on demand and used only for legitimate purposes (among many advantages).
For the organisation holding the data and deciding what to use it for (the data controller) this has produced a large volume of compliance activity that is unlikely to be core business. This has often been viewed as a burden, but I’m going to present a different view here, along with my guest Steve Wright, CEO of Privacy Culture. Steve has been the DPO in John Lewis Plc, Unilever and the Bank of England, a true fountain of experience!
A strategic and systematic examination of an organisation’s data estate presents an opportunity to shed expensive storage of excess information; streamlining the information of an organisation safeguards and applies the privacy principle of data minimisation. The information to be deleted is identified through a data mapping process that also enables better security to be layered around the data that is truly critical to the organisation’s function and to determine the lawful basis upon which the data was collected and the purposes for which it is to be used. The vendor estate will contain a mix of data processors, joint controllers and third parties that need assuring and managing throughout the life of the contractual relationship.
So, how do we build a privacy based programme to assure our supply chain risk?
CEO Privacy Culture
How and where your personal and confidential data is used is no longer just good risk management, it is the law. Many organisations rely on their supply chain for delivery of services and products, so it is crucial to ensure you have captured and documented how you comply with GDPR and local market (global) privacy laws and regulations.
Reviewing legacy data systems and exchanges with suppliers/vendors presents a significant chance to lower costs, and minimise the risk of a breach. Operating a vendor risk management programme is, however, a significant undertaking that many organisations are not qualified to build in-house; however, if operated with a principal goal of lowering the risk of a data breach the resources expended are far less than that of reacting to a breach. The financial, reputational and people cost of a breach is easy to review in a number of high profile cases.
Below is a webinar video where Steve kindly invited me along to discuss third party risk, particularly when related to securing information you need to share with your vendors.
Reviewing your options for how to deliver a vendor risk management programme can take time and resources from the outset. C2 Cyber can assist with a free review at this stage, suggesting the best way to manage vendor risk based on your organisations vendors, geographical reach and business model.
Jonathan Wood & Steve Wright
Webinar by Privacy Culture, hosting C2 Cyber on the topic of privacy risk in third parties