How does your company check the data security of suppliers and their possibly subprocessors?
For the purposes of Article 32 of the GDPR, appropriate technical and organisational requirements must be imposed on your suppliers. But how do you specifically check and secure that your suppliers comply with the data security requirements set out in contracts and data processor agreements??
In their guidance on 'Supervision of data processors and subprocessors', the Danish Data Protection Agency writes:
"Although it is not explicitly specified from a paragraf of the Data Protection Regulation that the processing security of your data processors should be sought, it is the Danish Data Protection Authority's view that even now, where the regulation applies, processing security must be sought of ones data processors. The reason for this is that the data protection controller must comply with the requirement of accountability, and must be able to demonstrate that the processing of personal data complies with the rules of the Data Protection Regulation. The data protection controller will not be able to meet the above requirements by simply concluding a data processor agreement with the data processor. The controller must therefore also monitor (major or minor) the compliance of the data processing agreements concluded, including the implementation of the agreed technical and organisational security measures."
How does your company live up to control of your subcontractors?
Do you have the technical competences to assess the ISAE3000 and ISAE3402 statements you receive? How do you relate to suppliers who do not deliver ISAE statements? Do you have the technical skills to carry out physical checks on your suppliers of their technical platform in the utmost way? At Vangsaa Consult we have extensive experience from both the public and financial sectors in how to establish control and audits in particular with IT suppliers. We are always up to a cup of coffee and an uncommitted conversation, if you have any questions about the area. Including a chat about a possible cooperation where we contribute resources to solving the task for you.