Applying GAPP to your Assessment
It contains guidance that your organization can use to develop good third-party management policies and procedures. As you answer the 10 questions for your organization, these are the specific criteria you should reference.
1.Who are the outsourcing organizations we contract with and where are they located?
(2.2.2) Notice be given about all entities and activities covered
2.Precisely what data are we sending to, and receiving from, outsourcing organizations?
(4.1.2) Types of personal information collected and methods of collection
3.Is the data "personal information," and have we given notice to our customers of this data transfer?
(2.2.2) Notice be given about all entities and activities covered
(7.1.1) Communication to individuals about third parties
(7.2.3) Implicit or explicit consent of new uses of the personal information by third parties
4.What are our exposures if the data (both sent and received) is improperly accessed, used or maintained
(4.2.3) Personal information collected from third parties is reliable, and lawfully and fairly collected
(6.2.5 and 6.2.6) Ability to update or correct personal information held by the third party and give a reason for denial of an update request
(9.2.1) Accuracy and completeness of personal information obtained from and used by third parties
5.What data protection clauses do we have in these contracts?
(1.2.5) Review all third-party contracts and service-level agreements
(7.1.2) Your organization’s privacy policies are also communicated to third parties and agreement obtained of equivalency
(7.2.2) Specifically requires that personal information is disclosed only to third parties who have agreements with the entity to protect personal information
6.What evidence do we have that these outsourcing organizations protect our data as outlined in these data protection clauses?
(6.2.2) The identity of individuals who request access to their personal information is authenticated before they are given access to that information
(7.2.2) Personal information is disclosed only to third parties who have agreements with the entity to protect personal information
(8.2.1) A security program has been developed, documented, approved and implemented
(8.2.2) Logical access to personal information is restricted by specific procedures
(8.2.3) Physical access is restricted to personal information in any form
(8.2.4) Personal information, in all forms, is protected against accidental disclosure due to natural disasters and environmental hazards
(8.2.5) Personal information is protected when transmitted by mail, and over the Internet and public networks
7.What processes are in place to monitor the outsourcing organizations?
(1.2.11) Changes in business and regulatory environments be identified and addressed
(7.2.4) Taking remedial action in response to misuse of personal information
8.Do these organizations outsource any of their processes in which our data may be further transferred to another organization?
(2.2.2) Notice be given about all entities and activities covered
(7.1.1) Communication to individuals about third parties
(7.2.3) Implicit or explicit consent of new uses of the personal information by third parties
9.What processes do the outsourcing organizations we contract with use to verify the data protection practices followed by their outsourcing partners?
(6.2.3) Personal information is provided to the individual in an understandable form, in a reasonable time frame and at a reasonable cost
(8.2.1) A security program has been developed, documented, approved and implemented
(8.2.7) Testing the effectiveness of key administrative, technical and physical safeguards that protect personal information
10.What are the applicable privacy laws and regulations?
(1.2.2) Consistency of privacy policies and procedures with laws and regulations