The assessment to narrow down or filter the set of third parties that require inclusion into privacy data inventories or data flows should be focused specifically on the services in scope by contract with the third party. By risk tiering the set of providers by defined criteria (i.e., sensitivity of data classification, volume of personal data, or criticality of service to your organization,) third parties can be risk-grouped into categories.
While contracts can define and structure the compliance obligations and service levels, the risks and liability now extend to third parties, triggering changes in third party due diligence in all phases of the third party service provider oversight lifecycle. For companies that rely on external assurance engagements like Service Organization Controls (SOC) 2, the Trust Services Principles and Criteria for Privacy have been updated by the American Institute of Certified Public Accountants (AICPA). Similarly, the Shared Assessments Program, which is an International Standards Organization (ISO) based set of tools, has updated its standard testing procedures for Privacy.
GDPR creates significant compliance risk and introduces fines of up to 4% of annual worldwide turnover (sales) for the most serious breaches, as well as the risk of private claims for compensation.
Ampcus Inc. is a Global leader in end-to-end IT Business Solutions and Services with latest Technologies and Insights to our customers. We are listed among the top 50 fastest growing companies in USA. Our approach ensures that you receive a seamless experience that will allow you to leverage the value of your technology investment and drive true performance improvement results.
Copyright © 2023 Ampcus. All rights reserved.