Businesses of all sizes aren’t paying enough attention to how their partners handle personal data. It’s time to start asking the right questions.
A chain is only as strong as its weakest link. Your business is responsible not just for upholding your customers’ data privacy inside your organization. Everyone who uses the data on your behalf must be as privacy-conscious as you. Those data-handling partners may include accountancy, telecommunications and cloud storage, even office security and maintenance contractors.
Personal data regulation takes privacy very seriously
There’s a legal reason strong privacy links in your supply chain matter, as well as a moral one. Privacy is at the core of the European Union’s stringent General Data Protection Regulation (GDPR.) It applies to personal data processed by organizations in the European Economic Area (EEA) and those outside that offer goods or services to those within.
GDPR is the gold standard for data protection. Many other legislative frameworks have used it as a model, like California Consumer Privacy Act (CCPA,) Brazil’s Lei Geral de Proteção de Dados (LGPD) and the proposed strengthening of Australia’s Privacy Act 1988. Complying with GDPR won’t always mean you’re complying with other jurisdictions’ regulations, so if you’re sending personal data across borders, get local advice.
GDPR is built around defining what it means to be a data controller or data processor, and what each must do. A controller decides what personal data to collect, gathers it and decides how to use it. A processor receives personal data from another party and processes it as directed, but doesn’t decide how it’s used. The law says controllers must use only processors with technical and organizational structures that ensure data privacy.
Data breaches mean business disruption and reputational damage. Then there’s the money. Under GDPR, controller and processor may face huge fines: 20 million euro or up to four percent of the previous year’s turnover – whichever is greater. In 2019, British Airways faced a record-breaking 183 million British pounds for a breach.
Privacy holes affect businesses of all sizes
Although GDPR came into force in 2018, many companies still aren’t paying attention, says Jamel Ahmed of UK data privacy consultants Kazient Privacy Experts. “It’s true for large enterprises to small- to medium-sized businesses. I often find bigger companies have excellent internal data security processes. The compliance people will ask the right questions and demand evidence. But along the supply chain, there’s a massive gap relating to personal data. It’s to do with a lack of understanding, and limited awareness and expertise.”
Peter Wright agrees. He’s Managing Director of UK’s Digital Law, specializing in online, data and cyber issues. “It’s been overlooked in the past. And while there’s more awareness now, that doesn’t mean it’s enough.”
Your data handling shouldn’t just satisfy legal and regulatory requirements. It should also follow best practice and ethics. If you’re remiss, the consequences can be severe.
Peter Wright, Managing Director, Digital Law
How to tighten the links
1. Ask data-processing suppliers the right questions
Do your due diligence when you start a relationship with a supplier that involves passing data. Ahmed says, “As a minimum, check new suppliers are registered with UK’s Information Commissioner’s Office (ICO,) or your country’s equivalent. Check they have good policy and practice. Check they understand their data privacy obligations and responsibilities.
“Do they have a dedicated data protection officer (DPO,) and what are their qualifications and experience? I’d also want to see evidence they’ve spent time developing good practices rather than just complying with a checklist they’ve downloaded from somewhere.”
2. Have a contract that goes above and beyond
The GDPR says there must be a written contract between data controller and processor, and what the contract terms must be, including type of data, how long it may be kept for and the nature and purpose of data processing. Data privacy experts think agreements between controller and processor should go further, drilling down to detail, showing the controller is giving enough oversight.
3. Have a plan in place for what the controller does when there’s a breach
Under GDPR, all businesses handling data must keep a breach log, recording details of security incidents. Controllers should expect to be able to see anything in the processor’s log that relates to its data. Ahmed thinks businesses should go further again, having a detailed plan for what the processor must do if a data breach happens.
Ahmed goes on to say, “The GDPR obliges the processor to tell the data controller as soon as they become aware of a breach. But the contract needs to explain what constitutes a breach and what “as soon as you become aware” means.”
4. Bake risk management into your operations
Having a watertight supplier contract is just the first step. Wright and Ahmed stress data controllers should manage risk along the supply chain in a proactive and ongoing way. That means regular risk audits and going back to check data policies with clients and suppliers when circumstances change.
Wright advises, “Regulators look at how businesses show compliance. They don’t want you to hold up a contract audit that says, “Oh yes, we looked at this two years ago and it was fine.” They want to see continuous updates. If the worst happens and there is a breach of personal data, they want to see evidence the business did all it could to comply with legislation.
“You need to show you’ve looked regularly at your risk register and updated it after meetings. If a supplier changes its terms, show you investigated, asked questions and reviewed their answers. Regulators want to see the regular auditing, questioning and managing of risk baked into your operations.”
5. Be wary of how behavior changes may impact privacy
Our changing ways of life and work mean we need to be vigilant about what’s happening with our data. Wright says, “Homeworking has been adopted in ways never envisaged when IT systems were set up. You may have signed up to terms in 2017 and reviewed them during your 2018 GDPR due diligence, but the supplier may have since changed systems.
“Say your teleconferencing provider, because of increased demand, says, “We’re revising our terms because our servers are no longer in the EU. We have a new web services provider, but we can’t confirm where your data is processed. Hope that’s OK.””
Businesses should insist on full disclosure of what’s changed and whether there are knock-on effects on privacy. “Big questions need answering,” says Wright. “Where’s your data going? Is it following GDPR? Are they transferring business call recordings to servers outside the EEA? What security is in place? Is the data encrypted end to end?”
6. Consider everyone in your supply chain
One of the greatest pitfalls is not realizing your data is passed along the supply chain at all.
The golden rule is to assume every business you work with is a data processor. Otherwise, lapses can happen, even with the most sensitive personal information – material classified as “special-category data” under the GDPR. That’s anything that could be used for unlawful discrimination such as ethnic origin, sexual orientation, health records or biometric data.
Ahmed has a cautionary tale. “One of my clients looked for third-party software to do psychometric testing for graduate recruitment. Throughout the procurement, they didn’t realize this involved special-category data under GDPR. There was potential for serious repercussions in failing to assess the data protection impact.”
In the age of big data, ignorance is never a defense.
If personal data is in your possession, you must stay up-to-date with legislation, but also ethics and best practice. Raise awareness of risks and responsibilities, inside and outside your organization. Doing so will reduce the chance of a data breach and ensure your customers know you’re looking after their interests.