How Service Providers Win When Customers’ P&Ps Are Documented
Author’s note: The following describes the benefits of client P&Ps to data disposition (shredding and ITAD) service providers. The principles and benefits listed are equally compelling for all Data Processors, such as billing and AP, medical waste, managed services, data backup, records storage, etc.
Let’s start with the basics: Every customer that is covered by any data protection regulation (most, if not all) is required to have written data destruction policies and procedures. In requiring this, regulators universally understood that without such written P&Ps, it would be impossible for Data Controllers to train employees or hold management accountable.
Despite this requirement, most clients still do not have P&Ps, and when they do, they are often inadequate. Let’s face it, a policy stating, “all sensitive information shall be securely destroyed prior to disposal” is not a very useful procedure and would certainly be deemed negligent if challenged.
Since the purpose of and reason for the policy is employee training and management accountability, it should address:
- Accountability (compliance, training, enforcement, auditing, etc.)
- Processes (isolation/collection, staging, chain of care and custody verification, vendor selection process and criteria, destruction methodology, responsible disposal, etc.)
- Media (paper, magnetic tape, fiche, electronic, peripherals, etc.)
- Record Types (incidental, duplicate, controlled, etc.)
- Record Classifications (proprietary, regulated, classified, etc.)
Sounds difficult, right? IT ISN’T. Often, it is simply documenting what is already being done. Other times it means asking a few questions to plug some holes.
From the service provider’s perspective, helping (or encouraging) a client to document their disposition policies is incredibly beneficial.
First, and most importantly, it better protects the client. It makes the client compliant with the regulations. If ever challenged by the boss or by regulators, they are ready. Even if something bad happens (which is less likely with written P&Ps), the client is a lot better off if regulators find that they have good P&Ps. Regulators have proven they are willing to forgive organizations for bad acts by rogue employees. What they don’t forgive is not having the P&Ps that tell employees what to do.
Second, it unearths and consolidates other opportunities. A thorough examination of all information disposition needs invariably exposes weakness and omissions requiring additional attention. This often translates into significantly more business from an existing client.
Third, it builds client loyalty. A service provider that helps their client create the required P&Ps, by definition, goes from being a generic service provider to being a compliance partner. There is incredible value in being able to collaborate with the client, generating a work product that makes them compliant while, at the same time, better protecting them.
One of the best things about this strategy is that it focuses on existing clients. There’s no cost of customer acquisition. There’s no selling other than making the option available to them. Would they like to have the required written P&Ps, or do they prefer to be on the wrong side of the regulation? The question answers itself.
Frankly, if I were a client, the first place I would turn for P&Ps is my service provider who hypothetically should know what is required.
The only real question is for the service provider. Do they want to fulfill their responsibility as a data protection professional and better protect and improve their standing with existing clients…all while generating more income? Again, the question answers itself.
© 2023 Privata Vox, LLC - All Rights Reserved
Bob Johnson, CSDS, CIPP/US, is the Principal Advocate at Privata Vox, LLC. Read more about his long career in privacy and data protection policy development.
Scan OR Click QR Code below to automatically add to contacts