In this article Phillip Mellet, General Counsel of Pipedrive discusses the issues around trusting and verifying the data practices of partners, and ensuring the data privacy and protection side of best practices is highly secure.
UK GDPR and the price of non-compliance should be top-of-mind for business leaders.
Data is central to businesses, from reasonably simple areas like email lists to more sensitive and personally identifiable characteristics like identity, health, and financial data that businesses need from customers to provide services.
Businesses should note that as of January, there’s been a cumulative tally of just over €5.5 billion in GDPR-related fines in the UK and EU. That means that some organisations – the ones that have been caught – are egregiously getting their obligations for fair, safe, and secure data processing and protection wrong. With high costs for infringement, leaders must ensure they do all they can to avoid investigations from the Information Commissioner’s Office (ICO) into breaches of data privacy. And also, because treating customer data in the right way is the right thing to do as a trustworthy, well-run organisation.
What makes digital data management more interesting is that responsibilities and risks don’t end at the boundaries of the company. Data privacy isn’t just about the policy and strategy used internally, you also need to be conscious of the partners you work with. Can you trust their data practice? What credentials do they have? What happens if something happens with them, or one of their providers? Knowing what to look for in a data partner is key, so that you can keep sensitive corporate and customer data safe and secure.
There’s no getting away from the fact that if you mess up with customer data, you’re immediately stuck in the horns of a dilemma. Fines for failing to follow due care, and lost customers, lost trust, lost revenue and slower future growth. Data breaches are tough to face down, and better to avoid.
Supporting businesses through the complexities of the space are online resources, partners and consultants, and best practices and standards. The steps are to understand, follow, document, and communicate appropriately.
Resources, standards, and strengthening your process
National resources provided by the ICO in the UK are a first step. Whatever your country, they often offer advice on internationally recognised standards that meet national and wider requirements, like those of the EU and the US as well.
But despite the seriousness of the matter, small businesses can stay compliant without the big budgets of an enterprise. They can use free resources like the ICO’s GDPR toolkit and NIST’s cybersecurity framework. There are low-cost and open-source tech tools for encryption, password management, and security monitoring. Many data breaches happen due to employee error, so perform regular training on the areas that catch people out, such as phishing, password hygiene, and secure data handling. And of course, implement basic security hygiene, just as everyone should at home, too: Require strong, unique passwords and enable multi-factor authentication on all accounts. Update software regularly and apply recommended patches to avoid security vulnerabilities.
In general, only collect and store necessary customer data to reduce potential errors and exposure. Access should be by the need of the role, cutting down the risk of untrained or unneeded accidents. Have a simple incident response plan. Even a one-page document outlining what to do in case of a data breach can prevent panic and legal trouble. Know who to notify and have a plan for damage control, including other communication and tech channels if the usual avenues are compromised. Additionally, some industry groups and small business associations offer free legal consultations on compliance.
Sizing up partners
Questions, often provided as a checklist in a supplier information form, help you sort through needed qualifications.
An organisation’s history and reputation are the first areas to explore. Have they experienced any security breaches in the past? What do other businesses say about their security posture? Having suffered misfortune in the past doesn’t necessarily mean they are unsafe now, but their response and reaction can tell you about their leadership and culture, and if that fits with what you’re looking for.
Look at your partner’s certifications and compliance. Ensure they adhere to recognised industry standards like ISO 27001, SOC 2, GDPR, or CCPA. These indicate they have structured security and privacy controls in place and that they have invested in taking their requirements seriously. Major suppliers should have accreditations like ISO 27001:2013 surveillance audit for information security management, and 27701:2019, for privacy information management. What do these mean?
- ISO 27001 helps organisations manage their information security, identifying and addressing information security risks.
- SOC 2 is a cybersecurity compliance framework that evaluates how well the organisation manages its customer data.
- GDPR is the General Data Protection Regulation, the EU’s regulation for organisations handling customers’ personal data. The UK has its own version, with foundational elements being the same, but with provisions to note around the transfer of personal data between the UK and the EEA.
- CCPA is California’s Consumer Privacy Act, a state law that protects the personal information of residents.
Ask where and how they store their data. As with your own business, the data handling and storage policies must be present, observed, and fit for purpose. Do they encrypt sensitive information and secure data transfer protocols? Then, what are their access controls and audit requirements? Do they limit access to only necessary personnel? How often do they conduct security audits and risk assessments? Every business sees employee turnover and other changes in its workflows, so regular checking helps prevent issues snowballing into incidents.
If a breach occurs, do they have a clear, well-documented plan to mitigate the impact and notify affected parties? An incident response plan, particularly from SaaS providers, shows how they’ll manage being hacked/attacked, or if they make a mistake with customer data.
By vetting your partners with these criteria that matter to you – and may be legally mandated – you reduce risks. Exposing your business’ sensitive corporate or customer data to vulnerabilities outside your direct control brings the issue of trust into focus.
Trust is your watchword
Security, both cyber and physical, and data privacy and protection all meet in the sphere of ‘trust’. Looking at trust as a complete area of business interest with lines of responsibility shared with business, technical, and function leaders like marketing and sales, helps grow a culture of responsibility. As the cybersecurity industry often reminds users, personal responsibility is one of the foundations of a robust security culture and posture.
By focussing on the facets of trust a business can stay away from the horns of the data protection bull whether they appear as human errors, criminals and scammers, or attention from the regulators.