Are you at risk from your suppliers mishandling data breaches?
I’ve seen a few suppliers make classic errors dealing with breaches in their client’s data. Here are the top three errors suppliers make and 5 suggestions to avoid them!
GDPR & MERGERS AND ACQUISITIONS ARE YOU READY?
Tricia Higgins
So, you’ve been waiting for years for this. You have built your company up, done all the right things and finally an offer comes in the door from a prospective purchaser. They are just the right fit – a multi-national organisation saying all the right things with an offer that might just see you sitting on that island in Bermuda after years of hard slog.
The data room is set up and the purchaser starts the due diligence phase. It’s ok – you’ve got all this covered. But wait...there’s a full page of due diligence questions on data protection!
HOW COMPLIANT DO I NEED TO BE FOR A MEGER AND ACQUISITION?
When it comes to the GDPR, many companies are operating a “surface-level” compliance strategy. They might have updated their privacy statement (Marie explains just how important this is here), provided some basic training for employees and maybe put a Data Protection Policy in place. That’s it – JOB DONE, what was all the fuss about?
Many of Fort Privacy’s clients are preparing for M&A activity or are currently in the hot seat in the due diligence phase. And the due diligence process is asking in-depth questions. Not simply whether you have documentary evidence of compliance but checking if you can demonstrate compliance.
Here is a summary of the 12 most common M&A due diligence questions when it comes to data protection. How well can you answer these questions?
- Provide a copy of your Data Catalogue
- Describe – and defend – your Lawful Basis for all your processing activities
- Provide a copy of all privacy statements and notices to data subjects including employees and customers
- Provide a copy of all Data Protection Impact Assessments (DPIA’s) and Legitimate Interest Assessments undertaken
- Provide a copy of all your data protection policies including data protection policy, breach policy, data subject access request policy, data retention policy and CCTV policy
- Produce documentation demonstrating adherence to the policies listed above
- Provide a copy of your documented technical and organisational measures
- Demonstrate your Breach Management activities going back for at least 6 years
- Show evidence that you have undertaken supplier due diligence
- Produce copies of all relevant customer and supplier data processing agreements and the agreed technical and organisational measures.
- Describe the documented transfer mechanisms for all international transfers of personal data
- Demonstrate that staff have been trained and are legally bound to treat personal data confidentially
- Provide a copy of data protection audits undertaken in the past 6 years
- Provide any relevant certifications
BEST-CASE AND WORST-CASE OUTCOMES
It would be more than a little bit difficult to get past these questions with just a privacy statement and some training. Any prospective purchaser is going to want to know that you have your house in order.
At best, it’s going to affect the purchase price and/or the warranties being asked of the seller because (i) the purchaser has a big job to do after the acquisition and (ii) the acquisition will be viewed as a much riskier proposition.
At worst – the purchaser walks away. There’s always a possibility that a nervous purchaser with doubts over the acquisition might walk away if the due diligence responses are not up to scratch.
"SURFACE-LEVEL" COMPLIANCE IS NOT ENOUGH
There are lots of reasons why it’s a good idea to be more than compliant at a surface level with the GDPR. In the M&A playing field where there’s always another company competing for that golden opportunity, it’s vital to put some real work into your GDPR compliance programme – it will save you a lot of heartache in the long run. Contact Us if you need help with getting M&A ready. We can assess your current compliance levels and get you to well-positioned to answer the hard questions.
Data Protection Due Diligence on Seller
When a prospective buyer in a Merger and Acquisition is doing their due diligence on the seller part of this process will invariably be a full page of protections on data protection. Avoid the common pitfalls by downloading our guide on due diligence.
Fort Privacy processes your personal data in order to respond to your query and provide you with information about our products and services. Please see our Data Protection Statement for further information
Ode to DPO’s managing GDPR risk
The General Data Protection Regulation is “risk” based legislation. This means that the protective measures an organisation implements should correspond to the level of risk associated with their data processing activities. It’s worth noting that the risk that should be considered here, is the risk to the data subject as opposed to risk to the business of non-compliance.
Get your head above the crowd and KPI your Data Protection Programme
Data Protection Programmes are all the rage these days. It’s great to see the compliance conversation moving in this direction. As a Data Protection Officer (DPO), I know the difference between working with a solid data protection programme and working with none and all.