Why is this a risk?
Handling private and personally-identifiable information comes with a high obligation, both under the law and also under company policies. Moreover, the expectations from consumers are very high: they expect that companies will protect their information and keep it confidential, and that it won't be hacked, made public, given to third parties for marketing purposes or sold to the highest bidder.
Examples of where this risk could affect you
- Your suppliers might conduct marketing activities on your behalf, such as surveys, customer feedback sessions and focus groups
- Your suppliers might also be given customer information for processing purposes (e.g. call-centre access, technology support) and the company uses this information for their own purposes
- You engage a company to gather customer or user data on your behalf through research, and the information includes using names in your database for marketing purposes without the consent of those identified
What sort of suppliers could be engaged in this risk area?
The suppliers that will be engaged in this risk are typically those that handle the personally-identifiable information of a person. This could be any information that includes the names, address, contact information, health information, religion etc. of a person. These suppliers can include:
- data-gathering companies and researchers
- marketing companies
- technical support
- due diligence providers.
How are these risks managed?
The risks of protecting personally-identifiable information are normally managed through:
- knowing which information your supplier collects and the process they use to collect it
- ensuring procedures are in place to collect relevant consents for the use of that information
- implementing procedures for the third party whose information is collected to access that information and, in some cases, to change it, restrict its access or have it removed.
Which systems and tools do we provide to manage these risks?
- Reviewing the policies, procedures of the supplier around the collection and use of data as it applies to your company
- Ensuring that relevant protections are in place for that data
- Conducting audits and reviews of the procedures through a data audit