Meeting prospective clients’ due diligence demands
Proving your data protection and information security credentials
Many businesses provide a service to other businesses, and once the pitch is done and you’re getting closer to signing that vital and lucrative contract, there can be a hurdle to overcome. Namely, meeting the client’s due diligence and supplier set up requirements.
For bigger well-known service providers this can be a breeze, but often small-to-medium sized organisations can find themselves grappling to prove their credentials. Requests can sometimes feel exasperatingly detailed, irrelevant or over-zealous.
Once you’ve got through the questions about sustainability, environmental impact, modern slavery, diversity, equality and inclusion, there will often be the need to answer questions about your approach to data protection and information security.
This will almost certainly be the case where your company’s services involve handling your prospective client’s personal data on their behalf. To use data protection terminology, if the client is the ‘controller’ and your organisation will act as their ‘processor’.
It’s important this relationship is clear, as there are specific contractual requirements for controllers-to-processors relationships under EU/UK GDPRs. Both parties need to meet their obligations. Are we a controller or processor?
So how can you get ahead of the game and be well-prepared? I’ve put together some key questions you may need to cover off. Some of these points will need to be included in any Controller-Processor Data Processing Agreement.
1. Do you have a Data Protection Officer?
Not all businesses need to appoint a DPO (despite most questionnaires expecting you to). If you don’t have a DPO, you may need to explain who in the organisation is responsible for data protection, and may need to be ready to justify why you don’t need a DPO. DPO Myth Buster
2. Do you have a dedicated Information Security team?
As well as being able to provide details of where responsibility for information security rests within your organisation, you’re also likely to be required to provide details of the security measures and controls you have in place to protect client data. This could for example be restricted access controls, use of encryption or pseudonymisation, back-ups, and so on. You may be asked if you have any form of security certification or accreditation.
Note: For contractual terms, such as a Data Processing Agreement/Addendum it’s likely you’ll need to include a summary of your security measures.
3. What data protection related policies do you have?
The most common requirement is being able to demonstrate you have a Data Protection Policy. This would be an internal policy which sets out data protection requirements and your expectations and standards for your staff. A client could ask to see a copy of this. They might also ask if you have more detailed policies or procedures covering specific areas of data protection such as a data retention, individual privacy rights and so on.
4. Where will your processing of client personal data take place?
Many clients will be looking to understand if an international data transfer (what’s known as a restricted transfer) will be taking place. Whether this is happening will be dependent on your client’s location and your own location – including the locations of any servers you’ll process client data on.
The client may want to confirm there are necessary ‘safeguards’ in place for any restricted transfers, to ensure such transfers meet legal requirements. Examples of these include an adequacy decision, Standard Contractual Clauses (with the UK Addendum if relevant) or a UK International Data Transfer Agreement. They may also ask you about Transfer Impact Assessments. International Data Transfers Guide
5. Do you sub-contract services to third-parties?
You need to be prepared to share details of any third-party companies you use to provide your services which involve the handling, including access to, your client’s personal data. These are referred to as ‘sub processors’. They’ll likely ask you to confirm in which country these sub-processors are based.
Note: International data transfers and working with sub-processors are key elements of the GDPR mandated contractual terms between a controller and processor.
6. What procedures do you have in place for handling a personal data breach?
You may be asked if you’ve suffered a data breach in recent years, and to provide details of your procedures for handling a data breach. We’d recommend all businesses have a data breach plan/procedure/playbook. If you’re acting as a processor for your client, you’ll need to inform them ‘without undue delay’ (often within 24 or 48 hours of becoming aware of the breach). Plus be ready to provide them with all relevant information about the incident rapidly, so they can assess their own data risks and report it to the relevant Data Protection Authority (such as the Information Commissioner’s Office) if appropriate.
7. Do you have a disaster recovery plan and backups?
The GDPR doesn’t detail specific requirements around resilience and disaster recovery – this will depend on the nature and sensitivity of the processing. But if you suffer a data breach (particularly a ransomware attack) you’ll want to make your systems have integrity and are fully operational again very quickly after the event. Your clients will expect this if their data could be affected, so expect to be asked tricky questions.
8. Do you have a Record of Processing Activities?
Organisations with more than 250 employees, or smaller organisations which handle large volumes of special category data or data related to criminal convictions are required under EU/UK GDPRs to have a Record of Processing Activities (RoPA). This requirement applies to both controllers and processors.
You may be asked to confirm you have a RoPA and might be asked more detailed questions about your record keeping. If you don’t fall under the RoPA requirement, you may still need to demonstrate a degree of record keeping relating to use of your client’s data.
9. Procedures for handling client individual privacy rights requests
If you are a processor, handling personal data on behalf of your client, it won’t be your responsibility to respond to privacy rights requests (such as Data Subject Access Requests or erasure requests). However, you may need to assist your client in fulfilling requests relating to the client data you hold. And if you receive a request relating to client data, this must be swiftly sent on to the client.
10. Privacy information
Don’t forget your Privacy Notice (aka Privacy Policy). Before a prospective client works with you, they may look at your website and take a peek at the privacy information you provide. If this is off the mark and fails to meet the key requirements, it could be a warning sign for them that you don’t take your data protection obligations seriously. Privacy Notices Quick Guide
The above is by no means an exhaustive list but should help you to be prepared for some of the key areas you may be questioned about.
At DPN, we often suggest processors prepare a factsheet or FAQ in advance of receiving these due diligence questionnaires. This can really help put your business on the front foot and demonstrate to your clients you’re on the ball for both data protection and information security. Crucially it speeds up the decision-making and onboarding process, as by being well prepared you no longer have to scrabble around at the last minute. So you can start work for your new client more quickly.