business data protection

Business data protection when working with external suppliers

Security Fridays Week 17 – Ensuring policies and technologies are in place to comply with GDPR

One of the sections of GDPR that tends to be forgotten about is that if you allow third parties access to your data, then you are liable for what they do with that data. Their breaches are your breaches.

With the complex business relationships that most organisations require to function it is vital that this is accounted for in the data lifecycle and processes. Such a policy should be used to dictate what information an organisation should collect and store internally and should absolutely be used to control exactly what information is shared with these external parties, under what circumstances and contains capability to be able to delete that data when it comes to the end of its functional life. 

The third party that is accessing the data should likewise have its own policy that dictates what information it will accept from its business partners and should take steps to avoid obtaining any data outside of this remit. This policy should also cover the usage of that data and the destruction of that data at the end of its usage to avoid any retention issues. 

It is the source organisation’s responsibility to check that both their own and the third party’s policies are correct, compliant and compatible before allowing them any access to any data.

Suitable technologies should be put in to place to enforce these polices and operate as a barrier to prevent any sort of data access outside the confines of these agreements. 


1 – Create suitable data lifecycle and retention polices for both organisations in any transaction of data, each should be agreed upon by both parties and enforced. 

2 – Consider providing technology to any external organisation that needs to access your data, providing devices of known configuration with suitable security tools in place and refusing to provide administration access extends your security policy in to that third party organisation directly. Allowing direct control and monitoring of the data being accessed and what happens to it ensuring that your policies are enforced even externally. 

3 – Audit everything, make sure that the data that is being shared is in line with the policy using data discovery and classification, making sure that you can audit its movement. Activity that’s non-compliant should be detected a long time before a DPA becomes involved.

Category: Industry News

Compliance / Data Discovery / DLP

Chris Cassell

Chris Cassell, Technical Specialist

Working in the IT industry for seventeen years in a variety of roles from helpdesk (where we all started) through desktop support up to Technical consultant. Chris’ specialisms lie in network security, design and analysis.

Data Discovery Essentials

Data Discovery


Data discovery across your digital estate.

Essential data discovery for any organisation.

Learn more about SecurEnvoy DD
Cyber Security Blog

Hear more from
our security

Sign-up today

What to read next...