The assessment to narrow down or filter the set of third parties that require inclusion into privacy data inventories or data flows should be focused specifically on the services in scope by contract with the third party. By risk tiering the set of providers by defined criteria (i.e., sensitivity of data classification, volume of personal data, or criticality of service to your organization,) third parties can be risk-grouped into categories.
GDPR and Third Parties
01/31/18 6:26 PM
