Data protection and your suppliers

July 2022

How to manage the third parties you work with

One of the more challenging aspects of GDPR for many businesses has been identifying all your suppliers and sharing personal data.

Making sure appropriate contractual terms are in place and managing these relationships successfully, whilst doing all you can to protect your business from supply chain data breaches (which are all too common) can be onerous. We should also bear in mind the need to carry out due diligence checks before taking on new suppliers.

Four years after GDPR enforcement, many projects to tackle supplier management remain unfinished, representing an ongoing risk to businesses sharing personal data. If you have limited visibility into how your data is processed by your suppliers (and any sub-processors) it clearly leaves the business exposed.

UK/EU GDPR is clear on what should be included in contractual arrangement and the ICO have published useful contracts guidance. There are also often negotiations to be handled, especially when it comes to those tricky liability clauses.

What does accountability look like?

In short, you need to make sure your suppliers are doing what they say do to protect personal data, using risk assessments and audits. This includes knowing how your suppliers will respond when it comes to the crunch– a data breach. How quickly and fully will they notify you?

Due diligence questionnaires

When you’re considering entering into contract with a new supplier, it’s good practice to request meaningful answers to certain questions, such as:

  • Do you have a DPO or another individual in the business responsible for data protection?
  • Can you provide evidence of your data protection policies and procedures?
  • Have you experienced a data breach before?
  • What information security procedures do you have in place?
  • How regularly are your security measures tested?
  • Do you hold any form of certification?
  • In which country/region will the data be processed?
  • Who are your sub-processors and where do they process the data?

The above is by no means an exhaustive list.

Where will data be processed?

There are additional considerations if international data transfers come into play. If you are sharing personal data where it is being sent to (or accessed by) a supplier in a third country, where there’s no adequacy decision in place, you’ll need to implement a legal transfer mechanisms – such as Standard Contractual Clauses (SCCs).  These EU SCCs can be adapted for UK use with the ICO’s Addendum. You may potentially also need additional security measures.

UK exporter businesses may choose to use the ICO’s International Data Transfer Agreement (IDTA). The IDTA and Addendum are designed to replaced SCCs for international transfers.

Conducting a supplier review or audit

It’s important to recognise some suppliers may bring greater risks than others. It may not be necessary to risk assess every supplier to the same level of granularity. Effectively you need to risk assess the risk assessments.

For suppliers you consider a higher risk, you may choose to audit them. In doing so it’s important to be clear what aspects of the supplier’s business needs to scrutinised.

Creating a framework which is tuned to your business needs makes sense, so you’re able to demonstrate the thought process if the ICO ever comes calling. Here are some factors to consider:

  • What categories of data is handled?
  • What’s the data volume?
  • How risky is the processing?
  • What could be the impact if a data breach occurred?
  • Was any due diligence carried out the supplier was onboarded?
  • Is the supplier accredited or certified?
  • Have there been any complaints relating to privacy / breaches?
  • Have there been changes in ownership or scope of processing?
  • Have there been significant changes in processes and workflow?

Six-point supplier management checklist

1. Due diligence – Do you have a questionnaire in place to identify the what, where, when and how of data processing? What data protection and security measures are in place? Is there evidence to prove this?

2. Contracts – Do you have a clear list of standard clauses for supplier contracts? What do the liability clauses look like? Are you prepared to walk away from suppliers whose contracts which aren’t up to scratch? Do you have a good understanding of the level of contractual risk the business is prepared to accept?

3. Instructions – If a supplier is acting as a processor, have you provided clear instructions on how they are permitted to handle the personal data, for what purposes and how long they must retain it?

4. Ongoing risk assessment – Do you have a process for evaluating the level of risk suppliers may represent?

5. Review / Audit – Do you have a review or audit programme in place? Annual audits of all suppliers may not be possible but it makes sense to rotate audits and maintain an up-to-date record of their processing activities.

6. Certification – in the absence of an approved certification scheme, alignment with ISO 27701 (the standard extending ISO27001 into data privacy) is worth considering as a proxy, whilst we wait for approved schemes to emerge.

It can sometimes feel like a mountain to climb, especially if you operate using multiple suppliers. As the saying goes ‘you can only eat an elephant one bite at a time’, the key to sharing personal data is identifying your biggest risks and prioritising where action is most needed.