recent work

SME’s expose larger firms to privacy breach risks

PR Newswire reported on 18th June that small firms were putting larger firms at risk of data protection breaches by not having robust enough policies, procedures, and work practices when it comes to handling data. According to a report by Shred-it, SMEs are particularly poor with activities such as shredding documents and disposing of hard drives.

The report claims that SMEs are, “10 times less likely to have an information security system set up than is the case with larger businesses”.

Absolute Data are often asked to help large businesses evaluate SMEs that they wish to appoint as data processors, whether that’s a call centre, a web hosting company, or a data destruction facility – and we have developed a set of tools to enable us to effectively measure and compare providers in an objective and consistent manner.

In our experience there are numerous organisations both small and large providing data processing to services to our clients who are simply not providing a good enough or robust enough service. The report is absolutely right in its assertion that poor data handling processes in a supply chain introduces a huge element of un-controlled risk to data controllers: and it is the controller who is ultimately responsible for the entire supply chain.

We recently worked with an international company who used a team of very large pan-European service providers as data processors. We found that 50% of processors were working with NO contract in place, that the data was being off-shored to the USA without the knowledge of our client, and that redundant computing equipment containing our client’s data was lost for a period of weeks. All very worrying stuff.

So our view is that you cannot rely on the size of a data processor – you have to either do your own due diligence, or get an expert firm like Absolute Data in to assess the risks on your behalf.

Tags: ,