After the success of the first GDPR Conference Europe in April, Anna Mazzone, Managing Director at International Aravo Solutions UK will join the panel discussion at the second conference on 20th June.
We spoke with Anna about the most effective way to conduct supplier audits:
“Depending on your industry, you will either have trade associations that have organised audit services to make the process of reviewing the third party less onerous by all their suppliers.
“You should definitely use technology to distribute and control the scope of the on-site review. The audit request can then be defined based on the inherent risk of a third party’s services to your business, and the results can be submitted and organised against a third party’s profile. Further remediation work can then be tracked.
Additionally, third party data-feed services can allow on-going monitoring of your third party’s infrastructure. There are some good services out there today such as Security Scorecard and BitSight which provide security performance ratings, which used in tandem with your assessments can help expose areas of risk to be managed and controlled.”
Maintenance of data security is another issue that businesses must pay attention to:
“First it starts with the tone from the top of your organisation, but you should also ensure that you get the same confidence in the tone from the top from the supplier to your business. The culture of the firm defines how they prioritise the security and privacy associated with their employee and/or client’s personal identifiable information. What are their policies, what is their control framework, how often is it tested, what data breaches, if any have they had previously, and what corrective action have they taken to mitigate this happening again.
“Data security and data privacy control requirements need to be included in the requirements definition and development of software application services. Your firm needs to identify those third parties that have made the investment early on to mitigate your risk of regulatory non-compliance.
You should ensure you have robust life-cycle management of your third parties. The controls in place for off-boarding a supplier or third party should be just as rigorous as on-boarding. Third parties are often the weakest link in a company’s data security, and are implicated in about 63% of all data breaches.”
The GDPR Conference Europe takes place on 20th June. For more information visit www.gdprconference.eu.
Originally published on GDPR.Report