Top 3 data protection program issues and how to start resolving them: #24
Understanding processing roles is often complex and can be a major source of irritation when the various parties don’t agree, or misinterpret each others’ roles, especially during the early phase of the lifecycle.
And although it may sound obvious, a life-cycle phased approach is essential with gates, or exit criteria defined between the various phases.
If not, things can turn sour as outlined in the following issues we often come across.
#1 Processor selection
Selecting a processor should follow your company’s vendor selection process, assuming you have one.
It may be anchored in procurement or sourcing, again, if you have these functions.
The process should refernce a formal set of requirements that allows comparison of various parties.
This can go badly wrong when overzealous colleagues are coerced by the sales talk of a third party to move fast, resulting in the data protection team having to work under pressure, and without the ability to actively take part in comparing vendors…because only one was considered!
#2 Insufficient due diligence
Coupled with the first issue, critical due diligence steps get bypassed and your company enters into an agreement with a processor where little is known about them, other than their solution or services are favoured by the business, often with little focus on, or understanding of data protection.
#3 Imbalances between parties
There’ll be a world of difference between whether you are dealing with one of the large global players, or a smaller niche processor.
Here, imbalances of power come into play.
On the one hand, you’ll have little opportunity to push your requirements through to the bigtech processor, and will probably need to accept working to their agreement, putting you on the back foot.
At the other extreme, if you push your stringent requirements too hard, it may be beyond the financial capability of a niche player to live up to them.
You then face a business decision whether to work at risk with them.
Purpose and Means help Data Protection Leaders refresh their work focusing on business alignment and orchestration.
We’re based in Denmark, but operate globally.
If this issue resonates, book a call to discuss your requirements!