Are you at risk from your suppliers mishandling data breaches?
I’ve seen a few suppliers make classic errors dealing with breaches in their client’s data. Here are the top three errors suppliers make and 5 suggestions to avoid them!
Category: Change Management / Transparency / Security Management
Customer: Industry user group for a software supplier
We were asked by an industry user group for a software supplier to carry out a DPIA on behalf of all the controller clients for a new mobile app being developed that would be deployed to their end customers. We carried out a DPIA in close co-operation with the software supplier. Given that the app would be rolled out by an estimated 50-75 user group controllers in the first year with an estimated end user base of between 1,500 – 10,000 users per deployment we needed to ensure that the default app configuration would be robust, and that the user group was given adequate information to deploy the app in a compliant manner. In the end, we carried out a DPIA and also produced documented sub-processor evaluations, a transparency review of the app and we developed a rollout guide for the app to be used by each of the controller clients. The app developer also implemented additional measures including regular pen testing of the app and a deployment checklist.
Sign-up to receive news and information from Fort Privacy
Fort Privacy processes your personal data in order to respond to your query and provide you with information about our products and services. Please see our Data Protection Statement for further information
I’ve seen a few suppliers make classic errors dealing with breaches in their client’s data. Here are the top three errors suppliers make and 5 suggestions to avoid them!
The General Data Protection Regulation is “risk” based legislation. This means that the protective measures an organisation implements should correspond to the level of risk associated with their data processing activities. It’s worth noting that the risk that should be considered here, is the risk to the data subject as opposed to risk to the business of non-compliance.
Data Protection Programmes are all the rage these days. It’s great to see the compliance conversation moving in this direction. As a Data Protection Officer (DPO), I know the difference between working with a solid data protection programme and working with none and all.