When companies manage the way personal data is shared and transferred and received by third parties, much of the effort is increasingly focused on bringing legal contracts in line with the requirements of the EU General Data Protection Regulation.
How can organisations effectively ensure that they have the data knowledge needed to validate data flows and the purpose of processing, as well as monitor data transfers to signal when personal data is going where it shouldn't?
This is a challenge for many companies, particularly those involving technologies with continuous data movement between third parties. Indeed, data-streaming and pipeline technologies are often used for the specific purpose of moving personal data for digital transformation objectives. Consequently, they require continuous monitoring to ensure that data transparency efforts are worthwhile.
Continuous data mapping and validation
Having a clear and specific legal agreement in place to cover data transfers is a necessary step towards privacy compliance. You need to be able to provide evidence that third-party data transfers are, in fact, consistent with the terms of a legal agreement. In other words, one needs the ability to compare actual business processes with declared ones and verify that everything is in order at any given time.
This requires continuous and automated data collection to support up-to-date flow mapping. In particular, a model is needed that can support the documentation of third-party data transfers based on detailed information about the data, including the associated business process, third-party names and individual attributes, and the associated purpose of use.
Actions to mitigate risks associated with third parties:
Focus on sensitive and personal information, separate between third parties with whom you share sensitive data and those with whom you do not;
Make anonymisation a default: shared data should always be anonymised. Anything else should be the exception (and not the other way around);
Keep an inventory: continuously track which third parties use your data;
Know which business processes depend on third-party partners: this way you can conduct impact analysis and removal of third parties without disrupting normal business operations;
Frequently review your policy: make sure you remove obsolete third-party partners.