The assessment to narrow down or filter the set of third parties that require inclusion into privacy data inventories or data flows should be focused specifically on the services in scope by contract with the third party. By risk tiering the set of providers by defined criteria (i.e., sensitivity of data classification, volume of personal data, or criticality of service to your organization,) third parties can be risk-grouped into categories.
Written by Naveen Reddy, January 31st, 2018 | Comments Off on GDPR and Third Parties
Filed under: Business Solutions |
While contracts can define and structure the compliance obligations and service levels, the risks and liability now extend to third parties, triggering changes in third party due diligence in all phases of the third party service provider oversight lifecycle. For companies that rely on external assurance engagements like Service Organization Controls (SOC) 2, the Trust Services Principles and Criteria for Privacy have been updated by the American Institute of Certified Public Accountants (AICPA). Similarly, the Shared Assessments Program, which is an International Standards Organization (ISO) based set of tools, has updated its standard testing procedures for Privacy.
Written by Naveen Reddy, January 31st, 2018 | Comments Off on GDPR Privacy and Third Parties
Filed under: Business Solutions |
GDPR creates significant compliance risk and introduces fines of up to 4% of annual worldwide turnover (sales) for the most serious breaches, as well as the risk of private claims for compensation.
Written by Naveen Reddy, January 22nd, 2018 | Comments Off on General Data Protection Regulation
Filed under: Business Solutions |