Select your Data Babysitter carefully
Posted on 2nd July 2019 at 10:41
Select your data babysitter carefully..
For any organisation as we continue to grow we have 2 fundamental objectives:-
To make more money
Reduce our costs.
There is obviously nothing wrong with this philosophy, we do all want successful businesses that will make more money.
Importantly however when it comes to following a successful GDPR/Cyber Compliance journey there are strict rules that need to be followed to maintain our integrity and to be able to avoid possible costly consequences from non-compliance/data breaches.
Guardian of your Galaxy
No matter the size or type of our organisation it is very important to consider that with GDPR we need to understand 2 very important points:-
We are wholly responsible for the data that we have within our organisation, from the inception of the data (birth) to its deletion (death) this responsibility is without exception.
If we outsource certain services in our organisation like IT, Credit Control, Accountancy, HR etc, allowing these external companies to be able to manipulate our data or just have the ability to access our data, the responsibility for the integrity, security & protection of the data is ours.
This means that we must ensure that our customers data is compliant no matter who has access to or where they may be able to gain access to the customer data, access which will have been allowed at our request when appointing any outsourced service within our organisation.
With GDPR we are required to implement Appropriate Technical & Organisational Measures these measures must follow the travel of the data and will make everyone responsible/accountable who either:-
Hold the data.
Access the data.
Manipulate the data.
Share the data .
Backup the data.
Store the data.
Destroy the data.
Our customers have placed trust in us that their data/details will be safeguarded, they do not need to make any special request that if we use any outsourced services their data will still be protected.
The reason for this!
Quite simply because our customers did not know (unless we made it very clear with our T&C and/or Privacy Policies) that we will share their information, so when we appoint our outsourced provider to assist with our day to day operations, they do not need to know about the company unless that same provider facilitates a data breach.
However It is our responsibility that we have a formal contract with our outsourced provider, this contract must exist before they supply any services to us that clearly makes them accountable and will enforce the same “Appropriate Technical & Organisational Measures” on them that we have implemented within our own organisation.
If you do not follow these simple rules and:-
Appoint an outsourced provider.
Do not create a formal contract.
Appropriate measures are not followed.
Allow the outsourced provider to access or manipulate your data in any form.
Then there will be serious consequences for both parties for non-compliance, also should a Data Breach occur appropriate breach notification procedures/policies will be need be enacted.
Follow this simple advice otherwise your organisation may be unenviably Non-Compliant.
Share this post: