Risk Assessments

 View Only
  • 1.  Data or Information Broker Question

    This message was posted by a user wishing to remain anonymous
    Posted 11-10-2020 08:33 AM
    This message was posted by a user wishing to remain anonymous

    Good afternoon,

    We are looking to add a question to our risk assessment to identify data or information broker relationships. Does this community have any examples they could share?


  • 2.  RE: Data or Information Broker Question

    Posted 11-12-2020 11:20 AM
    The question can go two ways. (1) Privacy (2) looking for any fourth, fifth, etc. party relationship that might exist.
    If you are looking for confirmation the vendor adheres to privacy laws ask:
     (1) Does your organization adhere to the privacy laws in the state of California?
     (2) Does your organization adhere to the privacy laws in the state of New York?
     (3) Does your organization comply in all aspects with GLBA 501 (b)?
     (4) Does your organization comply in all respects with GDPR?

    If the vendor answers yes to all four questions and they can demonstrate compliance you have a good idea they are sound on the privacy front.

    If you're trying to establish whether or not the vendor has fourth or fifth parties performing data analytics try the follow:
     (1) Does your organization subcontract data analytics in any form?
     (2) Does your organization require consumer consent before their data is collected?
     (3) Does your organization use any vendor or subcontractor that would have access to your systems, network or data?
     (4) Will any data your organization collects be accessed in any manner by one of your vendors?

    That will get you started.  Of course, this is a very high level set of questions. You can see how this could get very detailed very quickly.

    Does anyone else have a questions or set of questions they use that might prove useful to our colleague here?