Data protection and our suppliers

February 2023

How to manage the third parties we work with

One of the more challenging aspects of data protection compliance has been identifying and managing all our suppliers.  Those acting as our processors, supporting our business.

Making sure appropriate contractual terms are in place, whilst doing all we can to protect the business from supply chain data breaches (which are all too common) can become onerous. It can help to take a risk-based approach, focusing on the suppliers which represent the biggest business risk first.

Alongside this, for any new suppliers we need to make sure we carry out appropriate and robust due diligence.

Years after GDPR was implemented, many projects to tackle supplier management remain unfinished, representing an ongoing risk. If we have limited visibility into how our data is processed by our suppliers (and any sub-processors) it clearly leaves the business exposed.

What does good supplier management look like?

In short, we need to make sure our suppliers are doing what they say they’ll do to protect personal data, using risk assessments and audits. This includes knowing how our suppliers will respond when it comes to the crunch– a data breach. How quickly and fully will they notify us, how will they assist us?

Seven-point supplier management checklist

1. Due diligence – Do you have a questionnaire in place to identify the what, where, when and how of data processing? What data protection and security measures are in place? Is there evidence to prove this? It’s good practice to request meaningful answers to certain questions, such as:

  • Do they have a DPO or another individual in the business responsible for data protection?
  • Can they provide evidence of data protection policies and procedures?
  • Have they experienced a data breach before?
  • What information security procedures do they have in place?
  • How regularly are their security measures tested?
  • Do they hold any form of certification?
  • In which country/region will the data be processed?
  • Who are their sub-processors and where do they process the data?

The above is by no means an exhaustive list.

2. International Data Transfers 

There are additional considerations if international data transfers come into play. If we’re sharing data (or allowing it to be accessed) by a supplier in a third country, we need to check what safeguards need to be in place.

For countries where there’s no adequacy decision (allowing for the free flow of data), we need to implement a transfer mechanism such as the UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses (SCCs).  There’s also the relatively new requirement to conduct a transfer risk assessment, and consider if additional security measures are needed.

3. Contracts – Do we have a clear list of standard clauses for supplier contracts? What do the liability clauses look like? Are we prepared to walk away from suppliers whose contracts aren’t up to scratch? Do we have a good understanding of the level of contractual risk the business is prepared to accept?

UK/EU GDPR is clear on what should be included in contractual arrangements and the ICO have published useful contracts guidance. There are often negotiations to be had, especially when it comes to those tricky liability clauses.

4. Instructions –  Have we provided clear instructions on how our suppliers are permitted to handle the personal data, for what purposes and how long they must retain it?

5. Ongoing risk assessment – Do we have a process for evaluating the level of risk suppliers may represent?

It’s important to recognise some suppliers may bring greater risks than others. It may not be necessary to risk assess every supplier to the same level of granularity. Effectively we need to risk assess the risk assessments.

6. Review / Audit – Do we have a review or audit programme in place? Annual audits of all suppliers may not be possible, but it makes sense to rotate audits and maintain an up-to-date record of their processing activities.

For suppliers considered a higher risk, it may be prudent to routinely audit them. In doing so it’s important to be clear what aspects of the supplier’s business needs to scrutinised.

Creating a framework which is tuned and makes sense for the business is a good step and will mean there’s something to show the thought process if the ICO ever comes calling. Here are some factors to consider:

  • What categories of data is handled?
  • What’s the data volume?
  • How risky is the processing?
  • What could be the impact if a data breach occurred?
  • Was any due diligence carried out when the supplier was onboarded?
  • Is the supplier accredited or certified?
  • Have there been any complaints relating to privacy / breaches?
  • Have there been changes in ownership or scope of processing?
  • Have there been significant changes in processes and workflow?

7. Certification – in the absence of an approved certification scheme, alignment with ISO 27701 (the standard extending ISO27001 into data privacy) is worth considering.

It can sometimes feel like a mountain to climb, especially if operating using multiple suppliers. As the saying goes ‘you can only eat an elephant one bite at a time’, the key to supplier management is identifying the biggest risks and prioritising where action is needed the most.