With cybersecurity at the forefront of most IT leaders’ attention, it has never been more important to consider GDPR compliance when speaking to IT service providers.
I recently read a great piece over at CIO from last year featuring an interview with Mayer Brown legal partner, Rebecca Eisner.
Eisner talks about some of the challenges faced by customers of IT managed service providers, particularly larger organisations with a more complex staff and network structure.
She discusses that although data protection measures need to be included in IT service contracts, “Suppliers are understandably concerned about not paying damages that are disproportionate to the revenue received, and therefore seek to limit or disclaim their liability.”
Eisner goes on to say that, “Customers are equally concerned, particularly where suppliers do not have the same incentives to protect customer data as the customer, and because the negative impacts of a security incident are generally far more significant to the customer than to the supplier.”
This highlights the importance of establishing a clear set of guidelines with your providers so that everyone understands their responsibilities.
The Growing Complexity of Cybersecurity
The global infrastructure of data centres continues to grow and become more dispersed across the globe.
From your smartphone to the cloud and back again, there is a far greater margin for error and far more opportunities for your data to become compromised than ever before.
Eisner remarks, “The points of access and potential points of security failure multiply with this ever-expanding ecosystem. In addition, many of these systems are provided or managed by third party suppliers.”
Consider also the new European General Data Protection Regulation (GDPR) and its far-reaching implications.
Every access point that your data touches must fall in line with the regulation that will come into effect next year.
Everything from your contracts, to your day-to-day operations and the handling of customer data must be considered and kept up-to-date.
How to Mitigate Risk When Outsourcing IT
I recommend checking out the full article linked above; however, here is a summary of Rebecca Eisner’s recommendations for improving cybersecurity in your relationships with IT service providers:
- Make sure every member of staff from your secretary to the directors is trained and educated on the importance and practicalities of data security and customer privacy, as well as methods of minimising risk.
- Gain a clear understanding from your provider exactly who will be handling sensitive data; this includes client information and any data that is integral to the business’ finance, operations, and so on.
- Query your provider’s own cybersecurity measures, including the policies they have in place for identifying potentially high-risk third-party relationships.
- Review your existing service contracts to ensure they meet both your updated internal cybersecurity policies, and GDPR when it lands in 2018.
Periodic reviews should also be conducted by both your organisation and your providers to ensure policies are kept up-to-date.
A Little Due Diligence Goes a Long Way
This post is by no means comprehensive, and is intended mostly to get you thinking about your own approach to cybersecurity.
This is particularly important in the changing landscape of data protection regulation.
Make your IT managed service provider work for you by having them ensure the necessary measures are in place to secure your data in situ and in transit.
If you’re not sure how to approach a discussion about GDPR with your service providers, then call us today and we’ll be happy to help.