Large companies are tightening up contractual data protection policies for vendors. I am seeing tough requirements in agreements that one might expect:
- Limits on the personnel that could access the data
- Prohibitions around the data’s storage on portable devices (including laptops as well as thumb drives)
- Strict encryption requirements
- Security audits by the customer
None of this is bad per se. The problem is that the large companies are not limiting the restrictive provisions to what is called personally identifiable information (PII). The definitions of “confidential information” are very broad.
The requirements can be illogical in some cases. Consider my clients who produce videos for their customers. Information about customer products is “confidential”. But “information” in this case is in the form of videos (or at least creative content) provided by the customer for the sole purpose of making it very public indeed. The data protection policies fail to take this into account.
I fear three results from this:
- The additional protective measures are expensive, and the consumer will end up footing the bill.
- The broader the definition of “confidential information” the larger the impact on the small company’s productivity and the higher the cost.
- The small company is put at a disadvantage. I have not researched this issue in any scientific way, but a start-up where every member of the team wears multiple hats must find these policies more difficult to implement than their larger competitors.
The need for increased data protection will cost the economy. Limiting the damage by allowing leeway for the smaller companies where the protection is superfluous could help.