Technology vendors, like Ventiv, are classed as data processors when they hold or have access to your data. It is this classification that means they are subject to data protection rules, just as organizations that collect data are.
When your customers choose to buy from you, they are putting their trust in you and your suppliers to keep their information safe. When you consider the consequences your business could face if one of your partners breaches data protection legislation, it’s crucial that you ensure your partners are compliant.
If you’re not quite sure what you need to be doing to make sure your technology partner is GDPR-compliant, you should approach it in a similar way to how you have within your own organization. Good companies should be able to answer your questions.
Great suppliers, however, should be able to go an extra step and have a proactive approach to supporting their customers’ data governance and compliance with data-privacy laws.
So, here are 5 things that your software vendors should be doing for you:
1. Investing in their software capabilities
If your software partners are continually improving their technology, it shows their commitment to you. This investment should also address data-privacy legislation (which is an increasingly global concern, as I discussed in a previous blog post). Things you should ask include:
2. Demonstrating that they are compliant within the legal jurisdictions that they operate
Your supplier should be able to show evidence that they meet the GDPR rules, and other legislation, in respect of managing your and your customers’ data. This applies to all relevant territories. Have a read of our article about the case for cross-region GDPR-level data governance. Evidence of this should include:
3. Have a strong security and privacy program in place
Even with the best of intentions, a data breach can happen. It is when an unfortunate event like this occurs that you will see how well your supplier really performs. Your software provider should have:
4. Have externally accredited third-party audits
One way to ensure your supplier is meeting industry standards is for them to be accredited to the standards set by an internationally recognized body. Good examples of accreditations are ISO27001:2013, ISO27018 and SSAE18 SOC 1 or 2.
5. Be covered by cyber security insurance
Insurance is an added peace of mind that your software supplier is taking information security seriously. Insurance is a safety net in case something goes wrong. Insurance companies also usually have a set criteria for organizations to meet before they will insure them.
For risk and claims management, having the level of data governance described above is critical for the effective management of customers’ personally identifiable information.
At Ventiv we can easily demonstrate our GDPR processes, which certainly is appreciated by our clients. As part of our investment in our technology risk management platform, we have introduced the Data Governance module.
This add-on to your RiskConsole & RiskConsole Advance system is the ideal way to manage your data protection obligations under GDPR (as well as other legal jurisdictions). If you are serious about looking after your customers’ data, you should consider a RMIS software solution like this.