Marie Murphy
I am getting a bit longer in the (GDPR) tooth and while I retain the capacity to be surprised on a daily basis, I think I can honestly say when it comes to suppliers there’s not much left that will shock me! A few let’s call them “interesting” engagements with some of our client’s suppliers have prompted me to take e-pen to e-paper to write todays article.
I’ve seen a few suppliers make classic errors dealing with breaches in their client’s data and boy does it make a difference to the outcomes. It’s helpful – for both the supplier and the client - to recognise the common mistakes suppliers make so you can both take steps to ensure they don’t happen to you.
First of all, we need to get the big question out of the way. Why should you care if your suppliers mishandle a data breach? I can think of two very good reasons – reputational damage and Article 24 of the GDPR.
Let’s talk about reputational damage first. If you have a supplier sub-contracted to deliver part of your service to your customers and they get it badly wrong usually it’s your reputation on the line. You are after all the main point of contact for your customers, yours is the brand that they deal with. You will without doubt shoulder the blame – not to mention deal with the angry emails, phone calls and social media complaints. In serious cases you will become part of the news cycle for all the wrong reasons.
Article 24 meanwhile also means that you will shoulder the responsibility if you are the data controller. The GDPR is very clear that the responsibility flows up through any data processing chain from sub-processor to processor to controller. Most suppliers who handle personal data on your behalf will do so as a processor or sub-processor and if they mishandle the data badly enough to cause a data breach the relevant Supervisory Authority will expect the controller to take on the responsibility for addressing the data breach.
The first is where the supplier exceeds their role as processor and makes their own judgement on how to treat the incident – determining if it’s a data breach, deciding whether it should be reported and determining whether the data subject should be contacted. In extreme cases sometimes a supplier does all of the above without informing you.
The worst experience I ever had in this case was when the DPC (the Irish Supervisory Authority) reached out to me, as the registered DPO for the controller, to ask me why I hadn’t reported a data breach and it was the first time I had heard about the breach. The supplier had taken it upon themselves to report the data breach to the DPC but not to their clients. The fallout internally was bad – we were outside the 72-hour reporting window, and we had zero information from our supplier.
This is an extreme example, but I have seen so many badly handled situations. The supplier reports to the Supervisory Authority first and then tells the client, putting the client under pressure to complete their report. The supplier contacts the impacted data subjects directly, without involving the client, sometimes with inappropriate engagement – however well intentioned that might not be the most well received bunch of flowers! The supplier concludes that a breach is not reportable and doesn’t bother to inform our client at all – when actually the supplier’s assessment is incorrect, it is a reportable breach. It comes to your attention months later and as a result of the supplier’s misguided action you are left with no option but to report it late.
The second error that supplier’s make is not taking their compliance obligations seriously. The contract contains a Data Processing Agreement (“DPA”), the DPA clearly states that all incidents should be reported to the client within 24 hours of becoming aware of it and a week later the supplier rocks up with an “oh by the way, we had a data breach of your customers data last week, did we forget to mention it?”.
You have done your due diligence, all the paperwork checked out, the supplier signed the agreement, they may even have given you a copy of their breach reporting policy / process. But it was all a tick box exercise, the paperwork lines up but it bears no relation to what is implemented in reality. It’s what I call the dusty files syndrome – lovely policies and processes all gathering dust on a shelf somewhere.
It is harder to spot suppliers who treat compliance as a tick-box exercise but still possible with the right approach to supplier engagement. Staff turnover can be a good indicator of possible issues here.
The third error we see supplier’s making is failing or refusing to co-operate with data breach investigation. Sometimes it’s out of fear – if we divulge too much information will we incriminate ourselves? There’s no easy answer to this one. Yes, the supplier might end up divulging uncomfortable information and yes that might have consequences for the relationship with their customer.
In my experience though, the consequences are always worse in the long term if the supplier fails to cooperate. Every instance I have seen of an unforthcoming supplier has prompted an immediate discussion of how to replace that supplier. The replacement is not always immediate or easy to execute but it effectively ends with the incident. On the other hand, I have seen plenty of instances where a supplier has been very open about the incident and supported the clients’ investigations with a positive attitude. In those cases, the relationship tends to have a far better chance of survival.
I’ve worked with suppliers who take a very proactive approach to reporting incidents to their clients. It’s never a comfortable experience but handled correctly it does build client trust. Everyone understands that things go wrong. Breaches are not evidence of noncompliance. What is most important is how situations are handled. I have great confidence in some suppliers as a result of the way in which they have handled incidents. I know I can trust them to work through the situation and they won’t leave us hanging.
So, what can you do to ensure you reduce your risks of getting blindsided by your suppliers when they encounter a data breach?
First of all, risk assess your suppliers. Then put the appropriate level of measures in place to managing each supplier. Low risk suppliers will need less oversight. Put the most energy into suppliers who could cause the biggest issues for you and your customers in the event of a breach.
When you outsource a processing activity to a supplier remember that you outsource the operations and not the responsibility. Make sure you proactively manage your suppliers – especially where there is a high-risk processing activity. Be aware of where a supplier can fall down and take steps to prevent at least the most common supplier missteps.
If you are looking for help with managing your suppliers or are a supplier yourself looking to avoid the pitfalls, we would be delighted to support you. Contact Us to discuss your requirements.
Sign-up to receive news and information from Fort Privacy
Fort Privacy processes your personal data in order to respond to your query and provide you with information about our products and services. Please see our Data Protection Statement for further information
As a technologist, I am both excited and appalled at the developments in AI and it seems from various surveys that I am not alone. My greatest wish is that we can harness its power for good while dampening its power for misuse. It is early days yet – let’s hope this wish comes true!
Everyone loves a quiz so we decided we would kick-off the new year with a bit of tongue-in-cheek fun.
Continuing the tradition of the Fort Privacy Christmas blog this year we are thinking about Santa and AI. Well, we need to keep these articles topical after all!
