Which of the following is the BEST way to protect personal data in the custody of a third party?

Which of the following is the BEST way to protect personal data in the custody of a third party?
A . Have corporate counsel monitor privacy compliance.
B . Require the third party to provide periodic documentation of its privacy management program.
C . Include requirements to comply with the organization’s privacy policies in the contract.
D . Add privacy-related controls to the vendor audit plan.

View Answer

Answer: C

Explanation:

In GDPR parlance, organizations that use third-party service providers are often, but not always, considered data controllers, which are entities that determine the purposes and means of the processing of personal data, which can include directing third parties to process personal data on their behalf. The third parties that process data for data controllers are known as data processors. The best way to protect personal data in the custody of a third party is to include requirements to comply with the organization’s privacy policies in the contract. This means that the organization should specify the terms and conditions of data processing, such as the purpose, scope, duration, and security measures, and ensure that they are consistent with the organization’s privacy policies and applicable privacy regulations. The contract should also define the roles and responsibilities of both parties, such as data controller and data processor, and establish mechanisms for monitoring, reporting, auditing, and resolving any issues or incidents related to data privacy.

Reference: CDPSE Review Manual (Digital Version), page 41