Back to posts

January 10, 2018 10 Data Security Questions to Ask Your Technology Vendor Steve Kemsley, Information Security Manager

10 Data Security Questions to Ask Your Technology Vendor

Data is the key to understanding your audience and ensuring future success and growth. Your users have trusted you with personal information, so it is imperative that this data – and your brands’ reputation – is protected.

A number of recent high-profile data thefts highlight just how vulnerable organizations are to cyber criminals. In September 2017 credit rating company Equifax was hit by a data breach that exposed the social security numbers and other personal data of around 143 million US citizens, while Uber recently hit the headlines for concealing a massive breach of the personal information of 57 million customers and drivers in October 2016.

There are serious legal implications and penalties for data breaches of this kind, as well as the obvious damage to brand reputation that comes with it.

This is why data security is one of the most important factors when choosing a technology provider. You should interrogate any potential vendor to find out what safeguards they have in place.

Questions to ask include:

  • Where will data be stored?
  • Will data be encrypted? 
  • How will data be backed up, and will this be encrypted? 
  • Will regular vulnerability tests be conducted?  
  • Who has access to the data and do the control mechanisms in place meet your IT security policy or standards? 
  • Will the vendor outsource parts of their technology to a third party? It’s the vendor’s responsibility to ensure sub-processors have appropriate security measures in place to protect personal data, but it’s a good idea to carry out your own audit checks. 
  • Who owns this valuable data? No matter how happy you are with your provider right now, you could go your separate ways in the future and you need to know if the data can go with you. 
  • Do their processes comply with data protection laws? In Europe, the General Data Protection Regulation (GDPR) comes into force in May 2018, which could see organizations fined millions for serious offences.  
  • What recovery arrangements are in place in the event of an IT infrastructure incident?  
  • Do they offer 24/7 support? Under GDPR, authorities will take into account how long it took to resolve the problem when deciding on a suitable penalty, so it pays to resolve things asap. A quick response can also save your reputation.
tech vendor guide download