<img src="https://ws.zoominfo.com/pixel/615750b99f3554001334ec79" width="1" height="1" style="display: none;">

Seven questions every firm should ask potential suppliers about data protection and privacy

Jun 10, 2021 7:30:00 AM | 7 min read


Data privacy and protection have changed drastically over the last 20 years. The internet has introduced us to a completely different world where it can feel like nothing is private. As a consumer, it’s easy to fall into the trap of releasing your data unwittingly. Before regulations like GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act), consumers’ had little data protection and less recourse when a person or business came along and used your data for their own material advantage. 

"Like any new area, data protection is an ever-evolving world, which makes it very exciting, but also very difficult to navigate." 

With the ability to carry such huge personal and business ramifications, governments, consumers, and companies are finally taking data protection seriously and understanding its true value. However, like any new area, data protection is an ever-evolving world, which makes it very exciting, but also very difficult to navigate. 

That’s why I’ve compiled seven key steps security managers or IT and management teams should review when considering a new technology platform. 

Complete common-sense due diligence on any vendor that will have access to your data. 

Even if you don't have a full vendor management process or policy, you can take some basic steps to protect yourself and your data. It may sound simplistic, but the first thing you must do when evaluating any vendor is to ensure there's some form of data processing agreement in place to transfer data according to legislation. Don’t take it for granted that every vendor is compliant with your local regulations. Ask for verification and details on which legislation they adhere to. 

Companies will often claim one thing, but in practice, be doing something very different. Ask for evidence. If it’s hard to come by, that can be an answer in and of itself. The bottom line is don't rely on something you can't prove.

Dig into the IT and privacy agreements. 

Ask the vendor for their certifications and accreditations (e.g., ISO, SOC2, etc.). Ask about how the vendor is encrypting data. Look into the information provided on the vendor’s website. Read the vendor’s privacy notice. Ask if there are additional privacy safeguards, or data protection agreements in place. If there are, what are they? It bears repeating: don’t take anything for granted. I recently ran into a scenario where the vendor claimed to be ISO compliant. However, when I looked up its ISO certification, it had expired in 2019.

Ascertain what type of information will be covered by the agreement.

There are many different types of data, and each needs to be protected in different ways. For example, non-personal data requires different protections than personal data (often referred to as Personally Identifiable Information or PII), which in turn, requires different protections from special category data.

Ask where the data is going to be held. 

This is a critical element, because it drives what type of documentation you need to put in place. For example, if data were transferred from the US to Singapore, it's likely that because Singapore is a third-party country, it doesn't have an adequacy certificate issued by the AAE. Asking one simple question can help you understand if the vendor/country storing the data is prepared to process it according to your preferred or required regulations. 

Find out who has access to what and why.

Some vendors encrypt PII so they never have access to it. But if they do have access to your data, find out exactly who within the company has access. Then go a step further and find out why they have access and what they’re going to do with it.

Also be sure to ask about any “sub-processors” or third parties the vendor might use for preparing or processing your data, and their need to access it.

Ensure that the vendor has processes in place to verify the data.

This is one of the stickiest issues with data privacy and protection. As part of the GDPR compliance framework, data needs to be reviewed on a regular basis to ensure all data is current.

However, data itself is always changing. Let’s look at a quick example. Let’s say your company acquired data in 2018, and in 2020 you decide you want to use a new vendor’s platform and share that data with that platform. Before you transfer that data, you need to make sure it’s up-to-date (e.g., names, email addresses, designations, etc.). If the data is not correct, your company will be in breach. Obviously, this presents a huge challenge to both your business and any vendor you work with, so understand who and how the data is verified.

Understand what will happen to your data at the end of a term.

One of the most overlooked aspects of data protection is what happens to your data when you’re no longer doing business with a vendor. Ensure that when your term with a vendor ends, your data is not saved or archived. In many cases, this scenario hasn’t been considered and PII is still sitting on a platform somewhere. There's really no reason for it to be there, and again, puts your business in breach of regulation.

Ultimately, data is the most important asset your company has, and protecting your data will go a long way to protecting your brand, your reputation, and your business. 


Jeremy Smith is the Chief Technology Officer at Suralink. Jeremy has more than 20 years of experience building and running commercial software products and successful engineering, product, quality assurance, and operations teams.