Tips for Vetting Third Parties for Data Care

Before jumping into a digital transformation initiative, do some serious planning. In looking at which areas and processes you hope to improve, recognize the criticality of your data sets as the company’s most important asset.

Alan Gutierrez-Arana, National Sensitive Data Cybersecurity Consulting Practice Leader, Mazars

April 27, 2023

4 Min Read
Pablo Lagarto via Alamy Stock

What does digital transformation really mean for your company? If you check the latest news in technology, you will read and hear “Digital Transformation” in almost every IT news outlet. The term has become ubiquitous in almost every tech sales pitch. But what does it really mean to you and your company? Is digital transformation equal for all industries?

Digital transformation encompasses the adoption of technologies to modernize and automate processes with the intent of gaining operational efficiencies and taking your company to higher degrees of growth. Sounds simple, right? Well, keep in mind that behind any business process you would like to improve, there are layers of people, technology, processes, and sub-processes that add different degrees of complexity. It is a must to understand their criticality for your business’s day-to-day operations.

The layers mentioned above (people, processes, technology) present different inherent characteristics that influence the success of your digital transformation journey. Many times, we tend to believe that the focus of digital transformation resides in the technology layer. However, without people’s acceptance of change and transformation, your transformation project will struggle.

Understanding the culture of your company’s leadership and staff is critical during strategic planning to define an adequate roadmap for your digital transformation. Without people's acceptance and understanding of the upcoming changes, your chances of failing in your project are significantly high.

Data Sets: Most Important Asset

In looking at which areas and processes you hope to improve, recognize the criticality of your data sets as the company’s most important asset.

These are keystone questions you need to ask yourself before embarking on your digital transformation journey: What types of data do we process, store, or transmit during the execution of our regular business and operations processes? What is the value that such data has to our business? Understand the value of customers’ and third-party partners’ data, otherwise the chances are higher that digital transformation projects will run into scope creep or endless loops of changes and modifications, compared to having a good mapping of your data and the criticality of the different datasets. At the same time, without understanding the different types and values of the data in your organization, the risk of introducing new security gaps when implementing new technologies in your environment can exponentially grow.

Always consider, as a minimum, conducting activities around:

  • Data classification and data location importance

  • A data-centric approach to evaluating business processes and the technologies supporting those

  • Identifying and evaluating risk through the appropriate risk mitigation strategies

The contracting diligence in the third-party selection process is imperative once your company has decided to embark on a digital transformation path. As of today, there are multiple options available in the market, from companies offering tailored solutions for specific industries to different sizes of companies. While most of these solution providers promise to make your journey through digital transformation as smooth as possible, there are several steps I suggest conducting prior to inking a contract:

  1. Does your selected vendor have a proven record of successful implementation of digital transformation projects with companies in your industry and of your size?

  2. Is the vendor compliant with the different data protection standards and regulations? This is essential if you will be sharing your company’s data or if the vendor, through the different stages of the project, could eventually have access to your customer’s data.

  3. Is your vendor willing to contractually accept to enforce and oblige to your established information security and data protection policies and procedures?

  4. Are the roles and responsibilities of each party, especially around data security and protection, clearly defined and documented in the contracting process?

Taking some of these initial diligence steps could help reduce not only uncertainty around the quality of your vendor, but it also serves as a good baseline for risk management and identification of potential areas where you could be facing a higher degree of risk.

Another aspect to consider is avoiding excessive focus on savings. Cost reduction is just part of the outsourcing benefits equation; it cannot be seen as the major drive for outsourcing processes or selecting the right partner. I believe at this point we all are aware that cheaper will not mean better in most cases, and there is no exception for technology projects. Going for the cheapest provider will almost certainly imply further expenditure in the future, and you would be lucky if those costs are not associated with data security or, in the worst-case scenario, costs associated with customer data breaches and loss.

About the Author

Alan Gutierrez-Arana

National Sensitive Data Cybersecurity Consulting Practice Leader, Mazars

Alan Gutierrez-Aranais principal and sensitive data cybersecurity compliance leader for Mazars. Alan has over 25 years of experience providing IT security and controls assessments, regulatory compliance consulting services for a broad range of insurance, banking, finance, and high technology companies.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights