Data Protection and Outsourcing
Outsourcing tasks and responsibilities are commonplace for many businesses today. Everything from administration and HR, to bookkeeping and IT, can be outsourced to a third party, allowing you to focus fully on the core competencies of your business.
While this usually brings about benefits in terms of efficiency and cost, it can also cause serious problems and risks if the issue of data protection and access is not properly considered.
Outsourcing your IT management and support, for example, will require third party access to your systems and data. The level of access this third party could have may even exceed that of anyone in your business. For instance, if you take on a new employee, you might have to ask your IT provider to set up this new member of staff with access to the systems and data they will need to do their job.
With this level of access, you need to be sure of who is touching your data and have systems in place to monitor this access.
Under the EU’s General Data Protection Regulations, both the data controller and third-party data processors will be responsible for the security of any personal data. In other words, you will be liable if one of your third parties is breached for failing to adhere to GDPR requirements and as a result, your customers’ personal data is compromised.
The GDPR pertains to personal data. However, it’s not just personal data that is of value and should be protected. Your outsourced IT company could view information about a competitive tender you are bidding for. Could you be sure they won’t share this information? What if one of their employees has friends or relatives at other companies also bidding for this tender? The same applies to intellectual property. Does your third party need access to this information?
Selecting a third party that can demonstrate their commitment to data security and appropriate access rights is vital. What kind of internal processes, checks and policies does the third party have? If their response is vague or dismissive, this is a red flag and a good reason to continue your search for a company you can trust.
Establishing what your third-party needs access to in order to provide their services is a necessity. The principle of least privilege should always be adhered to.
Does your system provide logs of who accessed your data and when? This can provide a level of transparency over who has touched your data. Logs can capture user activity, such as elevation of privileges, creation or changes, usage information, patterns and requests. These logs can provide a deterrent for rogue insiders to obtain and leak data because they will leave a digital footprint in the system.
It is of no benefit if a third-party’s policy is to ban employees from bringing USBs into work if they do not have a means of preventing them from copying data to these devices. Does your third-party have specific controls in place that prevents your data from being copied to an external device?
The right third-parties will enable your business to thrive and grow. Make sure you choose outsourced companies wisely. Out of sight and out of mind makes it all too easy to forget that you must continue to protect and monitor access to your data.