In the Spotlight: Supply Chain Compliance
Privacy data laws are becoming more complex and widespread with the European Union’s recent implementation of the General Data Protection Regulation. Other nations are mirroring this act, making privacy laws stricter and giving more definition to what personally identifiable information includes.
BGRS’s Thomas Smat, Director, Client & Supplier Audit, shares his insight on how BGRS is supporting the implementation of improved privacy data laws with our supplier partners and how these types of policies support BGRS’s standards in keeping their clients’ information secure.
How does BGRS ensure the security of its clients’ and customers’ personally identifiable information (PII)?
Tom Smat: At BGRS, our clients’ data privacy and security is a top priority. BGRS continuously monitors our own security posture, as well as our suppliers’, by enhancing our security to protect client data against an ever-changing threat landscape. BGRS has many layers of security, including being certified under the EU-U.S. Privacy Shield Framework that covers data transfers from the EU the U.S. and abroad.
All BGRS employees participate in ongoing trainings that reinforce how to recognize and respond to security threats. We also operate with many layers of security, such as physical security, device security standards, data loss prevention, encryption, application security, access controls, security awareness and data destruction.
What processes does BGRS follow to ensure its supplier partners are implementing paralleled compliance standards?
Tom: BGRS has recently introduced a second extension to its supplier audit program to ensure our partners are compliant and keeping our clients’ and their mobile employees’ information safe. The first part of the audit program uses an online audit tool that analyzes our suppliers’ security and methods of protecting the sensitive information they are working with.
The second, newer part of the audit program is onsite audits. BGRS travels to different suppliers to analyze their working environments against three broad categories for data security; physical security of their building and offices, server rooms, and more; digital security methods for handling data; and the personal security practices for each employee handling BGRS clients’ data. After the audit is complete, BGRS provides its supplier with a report explaining our findings during the audit. If a supplier has any violations to data laws or BGRS privacy standards, depending on the issue, they may have up to 90 days to correct the noncompliance.
Given the recent implementation of the General Data Protection Regulation (GDPR) policy, how has GDPR set the pace globally for privacy protection?
Tom: The implementation of GDPR in the EU has made companies responsible for their own and their suppliers’ data, and has reshaped the way data is handled across the globe. Since its implementation, APAC has introduced the Asia Pacific Economic Cooperation (APEC), consisting of 27 countries, which implemented the APEC Privacy Framework for cross-border privacy regulation. Other countries across the globe are instituting their own data protection regulations as well, including North America, Malaysia and the UK. BGRS’s Data Protection Officer (DPO) periodically conducts audits of data protection efforts and works directly with data subjects that raise concerns or requests for information.