Among the actors involved in the new RGPD regulation, the controller and the processor (usually third party suppliers) stand out for having a more active role and for their direct action on personal data.
It is interesting to observe the difference between both figures because, although they have different tasks within the data processing, they are often confused. While the controller is the ultimate responsible for guaranteeing the security and privacy of personal data, the second actor is the one who directly operates the data processing. The processor always acts on behalf of the controller, and must be chosen in such a way that it offers sufficient guarantees to apply appropriate technical and organizational measures.
Service outsourcing is a widespread practice in all kind of organizations. This practice has many well-known advantages, but in the case of the personal data processing –this applies to any valuable information- it involves a risk that must be assessed and managed by the controller. Therefore, it is necessary to establish control mechanisms for suppliers that guarantee compliance with the regulation.
One of the tools that the controller has for managing their relationship with the provider is the contract. It should establish processing specific features, for instance, the object, term, nature or purpose... But suppliers are also required to demonstrate the existence and application of adequate security measures to protect data; and their customers, controllers, in addition to demanding them in the contracts, are also obliged to ensure that they are met.
Does this mean that controllers must become auditors of their suppliers? Organizations have other very different purposes. The adoption of our security rating allows them to carry out suppliers’ supervision much more effectively and efficiently, without the need to hire external experts or auditors, and without incurring any additional cost, since it is the provider him(her)self who contracts with the Agency the rating of their services.
The qualification allows suppliers the ability to demonstrate to all clients the level of protection applied to their services, through a single independent evaluation, with an objective and public scale, mapped with their particular requirements; avoiding that each one of them asks for a specific audit, and thus save efforts and time.
Customers should only require from their suppliers the rating of their services, or check the agency’s rated services public repository, to ensure that the security measures being applied correspond to their needs according to the risk level associated with data and executed processing.
In this way, the usefulness of the rating is twofold: first, it allows service providers to demonstrate the security level that they apply to the processing; and at the same time, it provides the ideal instrument for those controllers responsible to supervise them.
Demand it as a user! Accredit it as a service provider!
All you need is LEET.
Subscribe our Newsletter by clicking here
You can follow us on twitter.com/leet_security