How to manage your suppliers effectively

June 2021

One of the most challenging aspects of GDPR for many businesses was identifying all your suppliers, putting contracts in place, managing these relationships and preventing data breaches.

Combine this with the need to have more robust due diligence checks before taking on a new supplier, and it can all feel a bit daunting.

Three years on from GDPR enforcement, many projects to get on top of supplier contracts remain unfinished and represent a risk to the business.

The statistics speak for themselves; according to a 2021 Ponemon Report (‘Cost of Third Party Cyber Security Risk Management’) 53% of businesses experienced a third-party data breach in the past two years.

Limited visibility into how your data is processed by your suppliers (and any sub-processors) clearly leaves businesses exposed.

Helpfully, there’s clear guidance from the ICO on what should be included in contracts where there’s a controller to processor relationship. And the GDPR provides a clear list of what should be included.

Admittedly there’s often negotiations to be had with either party pushing back, especially when it comes to those tricky liability clauses.

In addition to ensuring contracts are in place, companies need to be ready to demonstrate accountability.

What does accountability mean?

In essence you need to make sure suppliers are doing what they say they are going to do to protect personal data through risk assessments and audits. This includes knowing how your suppliers will respond to crises such as a data breach.

This is the point at which technology can certainly help to lighten the load once you’ve figured out your plan of action.

Supplier due diligence questionnaires

When you’re considering a contract with any new supplier, it’s good practice to elicit meaningful answers to the following questions:

  • What data protection and information security provisions do you have in place?
  • Is there DPO or someone specific responsible for data protection?
  • Can evidence be provided of data protection policies and procedures?
  • Have you experienced a data breach before?
  • How regularly are your security measures tested?
  • Are any sub-processors used?
  • Does the supplier hold any form of certification?
  • Where physically will the data be processed?

The above is by no means an exhaustive list.

Where will data be processed?

The last point above, is an important one! There are additional considerations if international data transfers come into play.

If personal data is being sent to (or accessed by) a supplier in a third country you’ll need to implement a legal transfer mechanisms, such as Standard Contractual Clauses, and potentially additional security measures, where there’s no adequacy decision in place.

The European Commission has recently published new SCCs. They’ve been updated to:

  • align with the GDPR,
  • allow for more flexibility, depending on whether parties are processors or controllers
  • address requirements following the Schrems II ruling last July.

Conducting a supplier audit

If you feel overwhelmed by multiple suppliers, it’s important to realise you cannot risk assess every single supplier to the same level of granularity. Effectively you need to risk assess the risk assessments.

For those suppliers you consider a higher risk, you may choose to audit them. It’s important to be clear what aspects of the supplier business needs to scrutinised.

You should also consider how frequently you audit, given the nature of the relationship, the type of data they process and the level of risk associated the types of processing that supplier carries out.

All of these reasons make the audit decision an inexact science, so creating your own framework makes sense so that you are able to demonstrate the thought process if the ICO ever comes calling. Factors to consider:

  • What type of data is handled
  • How much data is handled?
  • How risky is the processing?
  • What would be the impact if a data breach occurred?
  • Was any due diligence carried out at contract initiation?
  • Is the supplier accredited/certified?
  • Have there been any complaints relating to privacy / breaches?
  • Have there been changes in ownership or scope of processing?
  • Have there been significant changes in processes and workflow?

Six-point supplier management checklist

  1. Due diligence – Do you have a questionnaire in place to identify the what, where, when and how of data processing? What data protection and security measures are in place, is there evidence to prove this?
  2. Contracts – Do you have a clear list of criteria for a compliant contract? Are you prepared to walk away from those standard contracts which aren’t up to scratch? Do you have robust assessment of when you are prepared to take a degree of risk?
  3. Instructions – If a supplier is acting as a processor, have you provided clear instructions on how they are permitted to handle the personal data and for what purposes?
  4. Ongoing risk assessment – Do you have a clear process for evaluating the level of risk suppliers may represent?
  5. Audit – Do you have an audit programme in place? Annual audits of all suppliers may not be possible but it makes sense to rotate audits and maintain an up-to-date record of their processing activities.
  6. Certification – in the absence of an approved certification scheme, alignment with the recently published ISO 27701, the standard extending ISO27001 into privacy and personal data, is worth considering as a proxy whilst we wait for approved schemes to emerge.

Listen back to our recent discussion about supplier/processor management in which our great line-up of speakers share their experiences and tips – How to avoid privacy errors with your suppliers