Security Fridays: Week 17Chris Cassell 21/08/2020, Industry News
Protecting data when working with external parties
This is a good example of a data protection authority (DPA) enforcing one of the sections of the GDPR regulations that tends to be forgotten about. If you allow access for external parties to your data, then you are liable for what they do with that data, their breaches are your breaches.
With the complex business relationships that most organisations require to function it is vital that this is accounted for in the data lifecycle and processes. Such a policy should be used to dictate what information an organisation should collect and store internally and should absolutely be used to control exactly what information is shared with these external parties, under what circumstances and contains capability to be able to delete that data when it comes to the end of its functional life.
The third party that is accessing the data should likewise have its own policy that dictates what information it will accept from its business partners and should take steps to avoid obtaining any data outside of this remit. This policy should also cover the usage of that data and the destruction of that data at the end of its usage to avoid any retention issues.
It is the source organisation’s responsibility to check that both their own and the third party’s policies are correct, compliant and compatible before allowing them any access to any data.
Suitable technologies should be put in to place to enforce these polices and operate as a barrier to prevent any sort of data access outside the confines of these agreements.
1 – Create suitable data lifecycle and retention polices for both organisations in any transaction of data, each should be agreed upon by both parties and enforced.
2 – Consider providing technology to any external organisation that needs to access your data, providing devices of known configuration with suitable security tools in place and refusing to provide administration access extends your security policy in to that third party organisation directly. Allowing direct control and monitoring of the data being accessed and what happens to it ensuring that your policies are enforced even externally.
3 – Audit everything, make sure that the data that is being shared is in line with the policy using data discovery and classification, making sure that you can audit its movement. Activity that’s non-compliant should be detected a long time before a DPA becomes involved.
Read the article that was analysed here: https://gdpr.report/news/2020/07/07/italian-dpa-fines-bank-for-data-breach/