IT security – your responsibility goes beyond your company
It might seem obvious that you should have control over your own IT systems and security, but are you also in control when it comes to outsourcing partners or other external data processors? Data is increasingly placed and processed by external data processors, which from a business perspective can be very beneficial. However, just because the data processing is out of sight, does not mean that the responsibility is. If your data processor has poor IT security, so do you.
Data controllers and data processors
With the EU general data protection regulation approaching, companies will increasingly be forced to distinguish between the roles of the data controller and data processor. The data controller determines in which way data is processed. The data controller can either be an individual or an organization. Data controllers must ensure that any processing data complies with relevant IT security standards. Opposite of the data controller is the data processor who processes the data on behalf of the controller. Data processors can be both internal and external processors. When it comes to IT security compliance, data controllers often neglect the responsibility of ensuing this in regards to external processors.
Lack of control with external data processors
In Denmark, the Danish Financial Supervisory Authority (the Danish FSA) is an entity that conducts financial and IT audit. Scanning though audit reports reveals that some companies struggle to comply with the IT security requirements set forth by Danish law or companies’ own standards. According to the Danish FSA’s reports, general issues include risk management methods, documentation of links between IT risks and established controls, and periodic follow-ups and monitoring of IT security policies.
An increasing issue, according to the Danish FSA’s reports, is the lack of supervision in relation to external data processors. Several major Danish institutions, including banks and insurance companies, have received remarks to improve these issues. According to the reports, companies are not ensuring that their external data processors are compliant with the companies own IT security standards and policies. Furthermore, companies’ IT risk assessment does often not include assessment of external data processors.
How to ensure IT security compliance
You should always ensure that external data processors comply with your IT security standards. This includes ensuring that requirements to data processors are documented and controls are performed regularly. You should also include your external data processors’ risks in your company’s IT security management and management reporting.
New EU data regulation
On May 25 2018, the new EU general data protection regulation will take effect. The new regulation will be directly applicable in all member states without the need for implementing national legislature. Work to prepare has long begun due to the complex and extensive legislation. The EU data protection regulation will include a line of regulations within IT operations. The regulation has put a greater focus on the roles of the data controller and data processor and their individual responsibilities. The aim of the regulations is to regulate the progression of personal data as well as harmonize current data protection laws across EU member states. Not complying with the new EU general data protection regulation can lead to fines of up €20 million or 4% of global annual turnover for the preceding financial year.
GDPR work has long begun to ensure compliance before May 25th 2018. Impero has teamed up with subject-matter experts and can offer a GDPR compliance software solution that can help both small companies and large organizations with their compliance work. Our GDPR solution will help survey, visualize, report and manage the processing of personal data. The GDPR compliance software will provide a clear overview of GDPR compliance, which will also reduce risk and increase efficiency. Read more about our GDPR compliance software here.