If you are a data controller and play a legal role in the decisions a organisation makes on processing personal data, no doubt you’ve suffered a headache or two assuring you are GDPR compliant. But how recently have you focused your attention on the third party collaboration tools your organisation uses?
Does your collaboration tool meet your compliance needs?
Third party collaboration tools, generally speaking, offer a one size fits all solution, especially regarding encryption and data security compliance. Unfortunately, each economic zone has its own data protection and compliance regulations.
Depending on the type of data, where it is acquired and stored and/or the business location,you will need to ensure that collaboration tools and their usage keep your organisation compliant.
Are you actioning purpose limitation with your use of collaboration tools?
Most effective collaboration tools can be partitioned into different accounts or projects to restrict data to specific users who need use that data.
Partitioning is often done by project, client, function, department or activity. According to article 5 of GDPR,the data controller must be able to demonstrate that limited access to data including third-party collaboration tools.
Often as a by-product of collaboration, data is shared or stored on the tool making it susceptible to data loss or theft. The tool must be configured to be as limiting as possible.
Large organisations may have hundreds or thousands of users and partitions and it is impossible to monitor them allin real-time to ensure compliance withexternal and internal data protection regulations.
For this reason, user training is essential. Personnel who use collaboration tools have to take ownership of their role in data security. For this to happen there needs to be a real change in culture.
As data controller, can you demonstrate that every precaution has been taken?
Data controllers must be able to demonstrate that stringent password control policies, including increased complexity and regular changes, have been implemented. Pseudonyms would also be a requirement, to mask identities making it more difficult for hackers to target key data processors.
Ultimately, there needs to be a change in culture when using third-party tools.
Layer 8’s experience is that the most effective approach to take when looking to change the culture of security and data protection compliance is to get users and personnel to buy into the process. The most effective strategy is to provoke conversations and allow collaborators to explore the problem of security and their role in providing the best solution.