The first three articles in this series focused on the creation an internal environment that would enable a strong culture of privacy and data protection to flourish within the organization. The previous articles in the series provided suggestions on specific measures organizations could take to create the foundations for adoption of strong privacy and security controls. Once this has been accomplished to a reasonable degree by the organization, the focus can shift to movement of data outside of the control of organization.
Now, we will focus on ensuring that third parties such as vendors, contractors and subcontractors that receive or may have access to the organization's data are properly screened so that privacy and data security controls are not compromised as a result of a failure to properly select these third party vendors, and the organization has reasonable assurances that their data is properly being maintained by the third party.
The legal perspective to protecting data: Key contractual components
This list is not exhaustive and the contractual language needs to be specifically tailored after a comprehensive risk assessment. The purpose of providing these elements is solely to identify the core elements that should be a starting point as part of the negotiations with the third-party vendor.