Privata Vox® Blog

Why Data Processors Need Two Information Protection Policies

This entry explains why data processors (in particular) should have two distinct complementary types of information protection policies: one outlining the information security practices related to the services they provide data controllers, and another covering how they protect the vital information used to run their business.

A large red apple sits next to a small red cherry on a white surface.All modern data protection regulations require data controllers (clients) to have written contracts with their data processors (service providers) aligning and enforcing the processor’s required written policies and procedures.

These controller-required information protection policies, however, are specifically limited to their processing activities only. They cover things like background screening of employees, access to personal information, breach reporting, use, limitations, enforcement of data subject rights, and the network security of computers on which any processing takes place. And, though these policies are not public, they may, by their very nature, be shared with controllers, regulators and auditors, and there is some chance they will find their way into competitors’ hands. And while this may make some processors uncomfortable, it shouldn’t. In fact, most service providers adhere to industry standard processing safeguards, in which case their processing-related policies are likely to be indistinguishable from their competitors. In other words, processor-related policies usually do not represent a competitive advantage.

There is another category of information protection policies, however, that have nothing whatsoever to do with a firm’s data processing safeguards which should not be shared outside the organization. Not only are they irrelevant to the processing-related policies but exposing them outside the organization undermines their value in defending intellectual property protections. As a result, these broader policies are themselves to be defined and secured as intellectual property.

This second category of information protection policies apply to issues such as internal information access and sharing, classification and protection of trade secrets, IT hardware management, BYOD policies, A.I. usage, the administration of permissions and access controls, retention, authorization, and final disposition, internal accountability and governance, and the application and enforcement of patents and trademarks.

It will come as no surprise that, of the two, it is far more common for data processors to have those addressing their processing activities since they are required to do so by controllers and regulations.

As for policies addressing the full scope of information protection, despite the fact that intellectual property may be leaking to competitors right and left, and even though there would be little chance of defending their intellectual property rights without them, it is more common than not for organizations to limp along with inadequate policies or none at all.

Of course, the shame of this oversight, is that that codifying broader general information protection policies is not that difficult.

The fact is that most organizations are already taking steps to protect their mission critical information, they simply haven’t documented it. And though it is true that any organization examining their information protection practices is bound to discover areas in need of improvement, clearly it is better to find and plug those gaps than it is to pretend they don’t exist.


© 2024 Privata Vox, LLC - All Rights Reserved

Subscribe to stay up to date with new blog posts, speaking appearances, and more.

Subscribe To Updates