Data Protection Checklist when Selecting Suppliers

For many businesses, one of the most challenging and surprising aspects of GDPR was the process of identifying all your suppliers, putting contracts in place, managing these relationships and preventing data breaches.

Many under-estimated the time and energy it would take to capture who they were contracted with, let alone figure out what data was being processed. For many the GDPR process morphed into a procurement process when the true scale of uncontracted relationships emerged.

Two years on, many projects to get on top of supplier contracts remain unfinished which represents a huge risk to the business.

According to the Ponemon Institute an average company shares sensitive information with 583 third parties as part of its business activity and only 34% of organisations keep a comprehensive inventory of those third parties.

This doesn’t necessarily reflect badly on businesses who are trying to work through this task alongside a myriad of other challenges but if you have limited visibility into how data is processed and whether sub-processors are involved you are exposed.

It has also become clear businesses were right to fear the impact of third-party data breaches. In 2018-2019, the incidence of data breaches occurring with third parties increased 35% year on year. And we can see that breaches are attracting big fines so this is an area to be taken seriously.

What should you do to simplify the process?

Helpfully, the ICO guidance on what should be included in contracts is pretty straightforward. In addition to ensuring contracts are in place, companies need to demonstrate accountability.

What does this mean?

You need to make sure suppliers are doing what they say they are going to do through risk assessments and audits. This obviously includes knowing how your suppliers will respond to crises such as data breaches.

If you feel overwhelmed by multiple suppliers, it’s important to realise you cannot risk assess every single supplier to the same level of granularity. Effectively you need to risk assess the risk assessments.

This is the point at which technology can certainly help to lighten the load once you’ve figured out your plan of action.

Supplier Contract Due Diligence Questionnaires

When you negotiate a contract with any new supplier it is good practice to consider the following in your supplier questionnaire:

• Does the contract set out what personal data is used for what purpose?
• Is the contracted partner a controller, joint controller or processor?
• Depending on the controller/processor relationship, do you have a Data Processing Agreement or a Joint Controller Agreement in place?
• Does the contract highlight the importance of confidentiality?
• Does the contract provide for audits and inspections?
• Is it clear who is accountable and liable for different activities?
• Is there a provision to cover third party processing of data?
• What process exists for managing data when the contract ends?
• Is the personal data that's being processed detailed in your and their 'Record of Processing Activities'?
• Does the supplier hold any form of certification for their processing activities?

Conducting an Audit – Questions to Consider

When you choose to audit your suppliers, it’s important to decide who should be audited and what aspects of the supplier business needs to scrutinised.

You should also consider how frequently you audit, given the nature of the relationship and the level of risk associated with working with that supplier.

All of these reasons make the audit decision an inexact science, so creating your own framework makes sense so that you are able to demonstrate the thought process if the ICO ever comes calling. Factors to consider:

• How much data is handled?
• What type of data is handled – how risky is the process?
• What would be the impact if a data breach occurred?
• Was the quality of due diligence reporting at contract initiation good?
• Is the supplier accredited/certified?
• Have there been any complaints relating to privacy / breaches?
• Have there been changes in ownership?
• Have there been significant changes in processes and workflow?

Conclusion: The Six Step Checklist

1. Due diligence - Have you worked through the ICO’s criteria for compliant contracting when carrying out contract due diligence? Do you have a questionnaire in place to identify the what, where, when and how of data processing? The data protection and security measures in place.

2. Have you lost sight of your data? - If at any point you lose sight of the personal data or take another company’s warranty about the scope of consent attached to personal data then caution is needed and further investigation is required to follow the data trail.

3. Is the management of personal data audited in any way? Again, a contractual paper trail supporting the authorisation of use of the personal data is simply not enough to justify many use cases.

4. Do you have an audit programme in place? Annual audits of all suppliers may not be possible but it makes sense to rotate audits and maintain an up-to-date record of their processing activities.

5. Deciding on the frequency of audits is an inexact science and depends on the level of risk associated with processing the data. Consider the likely factors relating to risk, volumes, sensitivity of data and so on, that will need to be taken into account to determine the frequency.

6. Certification - in the absence of an approved certification scheme, alignment with the recently published ISO 27701, the standard extending ISO27001 into privacy and personal data, is worth considering as a proxy whilst we wait for approved schemes to emerge