Date Security, Due Dilligence and Vendor Selection
Consumers are increasingly concerned with their data protection and privacy rights. This means that protecting the confidentiality of your customer data should always be a top priority when making business decisions such as outsourcing.
While you may opt to sub-contract a service, you never outsource the related risks, and the reality is your customer information is only as secure as the weakest link who has access to your data.
As such, Throtle believes it’s critical to be extremely selective when choosing your data partners to ensure they are not only a great business fit to deliver your identity resolution and onboarding services, but that they’re also managing security, privacy and compliance risks in line with your standards and industry best practices.
To help ensure you have the right visibility, Throtle recommends taking a proactive approach to evaluate your vendor’s control program prior to outsourcing any services. Below are a few potential risk areas to consider as part of this due diligence process:
How does your vendor comply with privacy regulations such as California Consumer Privacy Act (‘CCPA’) or the Global Data Protection Regulation (‘GDPR’)?
- Do they maintain a privacy policy?
- Are they complying with data collection and explicit notice requirements?
- Do they provide consumers with the ability to exercise their consumer rights such as opt out, right to access, or right to delete?
- Is your vendor transferring any of your customer data outside of your jurisdiction?
How does your vendor address Cyber Security Risk? Do they have robust physical, technical, and logical protections in place to secure your company data and customers’ PII?
- Do they have a security awareness & training program?
- Do they have formal Security Policies that are regularly updated?
- Are they encrypting their data in transit and at rest?
- Are they anonymizing or de-identifying any PII data?
- Do they have an incident management process?
- Do they have a formal vulnerability management and patching program?
- Do they perform penetration testing?
- Have they experienced a data breach in the last 12 months?
How does your vendor manage Operational Risk? Do they understand the risk exposures that could affect their ability to deliver the services timely?
- Do they perform business continuity planning?
- Do they have a formal disaster recovery plan?
- Are they able to scale vertically/horizontally to meet your data processing needs?
How does your vendor manage their own third party risks?
- Is your vendor leveraging any fourth parties who may have access to your data?
- Do these fourth parties have the above compliance, cyber, and operational controls in place?
The above set of questions represent just some of the many risk areas to evaluate when narrowing your vendor selection. This list is provided for information purposes only; as every outsourcing situation is unique, the information is not intended to be comprehensive and should not be taken as legal advice. Throtle is happy to partner with your security and compliance teams to provide the necessary assurance to support your vendor selection process.
