Data Protection Checklist when Selecting Suppliers | DMA
DMA - Data and Marketing Association

Filter By

Show All
X
Start Contributing
My Contributions
X
X

Connect to

X

Data Protection Checklist when Selecting Suppliers

04 Aug 2020

T-dpn_data-protection-network_rgb.jpg

For many businesses, one of the most challenging and surprising aspects of GDPR was the process of identifying all your suppliers, putting contracts in place, managing these relationships and preventing data breaches.

Many under-estimated the time and energy it would take to capture who they were contracted with, let alone figure out what data was being processed. For many the GDPR process morphed into a procurement process when the true scale of uncontracted relationships emerged.

Two years on, many projects to get on top of supplier contracts remain unfinished which represents a huge risk to the business.

According to the Ponemon Institute an average company shares sensitive information with 583 third parties as part of its business activity and only 34% of organisations keep a comprehensive inventory of those third parties.

This doesn’t necessarily reflect badly on businesses who are trying to work through this task alongside a myriad of other challenges but if you have limited visibility into how data is processed and whether sub-processors are involved you are exposed.

It has also become clear businesses were right to fear the impact of third-party data breaches. In 2018-2019, the incidence of data breaches occurring with third parties increased 35% year on year. And we can see that breaches are attracting big fines so this is an area to be taken seriously.

What should you do to simplify the process?

Helpfully, the ICO guidance on what should be included in contracts is pretty straightforward. In addition to ensuring contracts are in place, companies need to demonstrate accountability.

What does this mean?

You need to make sure suppliers are doing what they say they are going to do through risk assessments and audits. This obviously includes knowing how your suppliers will respond to crises such as data breaches.

If you feel overwhelmed by multiple suppliers, it’s important to realise you cannot risk assess every single supplier to the same level of granularity. Effectively you need to risk assess the risk assessments.

This is the point at which technology can certainly help to lighten the load once you’ve figured out your plan of action.

Supplier Contract Due Diligence Questionnaires

When you negotiate a contract with any new supplier it is good practice to consider the following in your supplier questionnaire:

  • Does the contract set out what personal data is used for what purpose?
  • Is the contracted partner a controller, joint controller or processor?
  • Depending on the controller/processor relationship, do you have a Data Processing Agreement or a Joint Controller Agreement in place?
  • Does the contract highlight the importance of confidentiality?
  • Does the contract provide for audits and inspections?
  • Is it clear who is accountable and liable for different activities?
  • Is there a provision to cover third party processing of data?
  • What process exists for managing data when the contract ends?
  • Is the personal data that's being processed detailed in your and their 'Record of Processing Activities'?
  • Does the supplier hold any form of certification for their processing activities?

Conducting an Audit – Questions to Consider

When you choose to audit your suppliers, it’s important to decide who should be audited and what aspects of the supplier business needs to scrutinised.

You should also consider how frequently you audit, given the nature of the relationship and the level of risk associated with working with that supplier.

All of these reasons make the audit decision an inexact science, so creating your own framework makes sense so that you are able to demonstrate the thought process if the ICO ever comes calling. Factors to consider:

  • How much data is handled?
  • What type of data is handled – how risky is the process?
  • What would be the impact if a data breach occurred?
  • Was the quality of due diligence reporting at contract initiation good?
  • Is the supplier accredited/certified?
  • Have there been any complaints relating to privacy / breaches?
  • Have there been changes in ownership?
  • Have there been significant changes in processes and workflow?

Conclusion: The Six Step Checklist

1. Due diligence - Have you worked through the ICO’s criteria for compliant contracting when carrying out contract due diligence? Do you have a questionnaire in place to identify the what, where, when and how of data processing? The data protection and security measures in place.

2. Have you lost sight of your data? - If at any point you lose sight of the personal data or take another company’s warranty about the scope of consent attached to personal data then caution is needed and further investigation is required to follow the data trail.

3. Is the management of personal data audited in any way? Again, a contractual paper trail supporting the authorisation of use of the personal data is simply not enough to justify many use cases.

4. Do you have an audit programme in place? Annual audits of all suppliers may not be possible but it makes sense to rotate audits and maintain an up-to-date record of their processing activities.

5. Deciding on the frequency of audits is an inexact science and depends on the level of risk associated with processing the data. Consider the likely factors relating to risk, volumes, sensitivity of data and so on, that will need to be taken into account to determine the frequency.

6. Certification - in the absence of an approved certification scheme, alignment with the recently published ISO 27701, the standard extending ISO27001 into privacy and personal data, is worth considering as a proxy whilst we wait for approved schemes to emerge

Julia Porter Julia Porter

Data Protection Network
Partner

Hear more from the DMA

Please login to comment.

Comments

Related Articles

How to market effectively and sustainably

When thinking about sustainable marketing, often we think about the channels we use, or materials we use in a physical sense. We overlook things like the audience targeting, data cleanse & optimisation, which have a big impact on minimising wastage.

1714037684255.png

Reimagining CX - Building Customer Advocates

Purple Square’s Tim Biddiscombe interviewed marketing data and tech industry veteran Andy Masters about the essential roles of listening, learning and trust in building holistic and effective customer journeys.

Thumbnail Reimagining CX _Andy Masters 600x400.jpg

Loopholes in Marketing Automation - The Case for Real-Time

The subject of Generative AI and Real-Time Personalisation, two very interesting, interrelated subjects, in that they both deal with the here and now, presenting information with an immediacy and accuracy bordering on the prescient.

iStock-1366023601.jpg

How CX is taking centre stage in the Travel and Tourism industry

Travel and tourism enterprises face challenges in delivering tailored customer experiences amidst rising expectations.

iStock-1484358444 600x400.jpg

Expand

Copyright DMA 2024 © All Rights Reserved