Blog

Seven Questions Every Firm Should Ask Potential Vendors about Data Protection and Privacy

Written by Suralink | Apr 25, 2024 10:55:26 PM

Data privacy and protection have changed drastically over the last 20 years. The internet has introduced us to a completely different world where it can feel like nothing is private, and as a consumer, it’s easy to fall into the trap of releasing your data unwittingly. Before regulations took hold, consumers had little data protection and less recourse when a person or business came along and used that data for their own advantage.

With such huge personal and business ramifications at stake, governments, consumers, and companies are finally taking data protection seriously and understanding its true value. However, like any new arena, data protection is an ever-evolving world, which makes it very exciting, but also difficult to navigate.

That’s why we’ve compiled seven key questions security managers or IT and management teams should review when considering a new technology platform.

1. Complete due diligence on any vendor that will have access to your data

Even if you don't have a full vendor management process or policy, you can take some basic steps to protect yourself and your data. It may sound simplistic, but the first thing you must do when evaluating any vendor is ensure there's some form of data processing agreement in place that’s compliant with legislation. Don’t take it for granted that every vendor is compliant with your local regulations—ask for verification and details on which legislation it adheres to.

Companies will often claim one thing but execute something quite different. Ask for evidence. If it’s hard to come by, that can be an answer in and of itself.

The bottom line is to not rely on something you can't prove.

2. Dig into the IT and privacy agreements

Ask the vendor for its certifications and accreditations (e.g., ISO, SOC2, etc.). Ask how the vendor is encrypting data. Look into the information provided on the vendor’s website. Read the privacy notice. Ask if there are additional privacy safeguards or data protection agreements in place; if there are, what are they?

It bears repeating: don’t take anything for granted. We once ran into a scenario where the vendor claimed to be ISO-compliant. However, when we looked up its ISO certification, it had expired in 2019.

3. Ascertain what type of information will be covered by the agreement

There are many types of data, and each needs to be protected in different ways. For example, non-personal data requires different protections than personal data (often referred to as personally identifiable information, or PII), which, in turn, requires different protections from special-category data.


4. Ask where the data is going to be held

This is a critical element, because it determines which type of documentation you need to put in place. For example, if data were transferred from the United States to Singapore, it's likely that, because Singapore is a third-party country, it doesn't have an adequacy certificate. Asking one simple question can help you understand if the vendor/country storing the data is prepared to process it according to your preferred or required regulations.

5. Find out who has access to what and why

Some vendors encrypt PII so that they never have access to it. But if they do have access to your data, find out exactly who within the company retains that access. Then, go a step further and find out why they have access and what they’re going to do with it.

Additionally, be sure to ask about any “sub-processors” or third parties the vendor might use for preparing or processing your data, and their reasons for accessing it.

6. Ensure that the vendor has data verification processes in place

This is one of the stickiest issues with data privacy and protection, because as part of a wider compliance framework, data needs to be reviewed on a regular basis to ensure that it’s all current.

However, data itself is always changing. For example, let’s say your company acquired data in 2022, and in 2024 you decide that you want to use a new vendor’s platform, and to share that data with that platform.

Before you transfer that data, you need to make sure it’s up-to-date (e.g., names, email addresses, designations, etc.). If the data is not correct, your company will be in breach. Obviously, this presents a huge challenge to both your business and any vendor you work with, so understand how and with whom the data is verified.

7. Understand what will happen to your data at the end of a term

One of the most overlooked aspects of data protection is what happens to your data when you’re no longer doing business with a vendor. Ensure that when your term with a vendor ends, your data is not saved or archived. In many cases, this scenario hasn’t been considered and PII is still sitting on a platform somewhere. There's really no reason for it to be there and, again, puts your business in breach of regulation.

Ultimately, data is the most important asset your company has, and protecting it will go a long way toward protecting (and elevating) your brand, your reputation, and your business.