The top three errors suppliers make and 5 suggestions to avoid them!

Are you at risk from your suppliers mishandling data breaches?

I am getting a bit longer in the (GDPR) tooth and while I retain the capacity to be surprised on a daily basis, I think I can honestly say when it comes to suppliers there’s not much left that will shock me! A few let’s call them “interesting” engagements with some of our client’s suppliers have prompted me to take e-pen to e-paper to write todays article.

I’ve seen a few suppliers make classic errors dealing with breaches in their client’s data and boy does it make a difference to the outcomes. It’s helpful – for both the supplier and the client - to recognise the common mistakes suppliers make so you can both take steps to ensure they don’t happen to you.

supplier data breach

Why should you care?

First of all, we need to get the big question out of the way. Why should you care if your suppliers mishandle a data breach? I can think of two very good reasons – reputational damage and Article 24 of the GDPR.

Let’s talk about reputational damage first. If you have a supplier sub-contracted to deliver part of your service to your customers and they get it badly wrong usually it’s your reputation on the line. You are after all the main point of contact for your customers, yours is the brand that they deal with. You will without doubt shoulder the blame – not to mention deal with the angry emails, phone calls and social media complaints. In serious cases you will become part of the news cycle for all the wrong reasons.

Article 24 meanwhile also means that you will shoulder the responsibility if you are the data controller. The GDPR is very clear that the responsibility flows up through any data processing chain from sub-processor to processor to controller. Most suppliers who handle personal data on your behalf will do so as a processor or sub-processor and if they mishandle the data badly enough to cause a data breach the relevant Supervisory Authority will expect the controller to take on the responsibility for addressing the data breach.

The Top Three Errors

  1. Role (Mis-)Play

The first is where the supplier exceeds their role as processor and makes their own judgement on how to treat the incident – determining if it’s a data breach, deciding whether it should be reported and determining whether the data subject should be contacted. In extreme cases sometimes a supplier does all of the above without informing you.

The worst experience I ever had in this case was when the DPC (the Irish Supervisory Authority) reached out to me, as the registered DPO for the controller, to ask me why I hadn’t reported a data breach and it was the first time I had heard about the breach. The supplier had taken it upon themselves to report the data breach to the DPC but not to their clients. The fallout internally was bad – we were outside the 72-hour reporting window, and we had zero information from our supplier.

This is an extreme example, but I have seen so many badly handled situations. The supplier reports to the Supervisory Authority first and then tells the client, putting the client under pressure to complete their report. The supplier contacts the impacted data subjects directly, without involving the client, sometimes with inappropriate engagement – however well intentioned that might not be the most well received bunch of flowers! The supplier concludes that a breach is not reportable and doesn’t bother to inform our client at all – when actually the supplier’s assessment is incorrect, it is a reportable breach. It comes to your attention months later and as a result of the supplier’s misguided action you are left with no option but to report it late.

  1. Compliance-in-name-only

The second error that supplier’s make is not taking their compliance obligations seriously. The contract contains a Data Processing Agreement (“DPA”), the DPA clearly states that all incidents should be reported to the client within 24 hours of becoming aware of it and a week later the supplier rocks up with an “oh by the way, we had a data breach of your customers data last week, did we forget to mention it?”.

You have done your due diligence, all the paperwork checked out, the supplier signed the agreement, they may even have given you a copy of their breach reporting policy / process. But it was all a tick box exercise, the paperwork lines up but it bears no relation to what is implemented in reality. It’s what I call the dusty files syndrome – lovely policies and processes all gathering dust on a shelf somewhere.

It is harder to spot suppliers who treat compliance as a tick-box exercise but still possible with the right approach to supplier engagement. Staff turnover can be a good indicator of possible issues here.

  1. Protecting their patch

The third error we see supplier’s making is failing or refusing to co-operate with data breach investigation. Sometimes it’s out of fear – if we divulge too much information will we incriminate ourselves? There’s no easy answer to this one. Yes, the supplier might end up divulging uncomfortable information and yes that might have consequences for the relationship with their customer.

In my experience though, the consequences are always worse in the long term if the supplier fails to cooperate. Every instance I have seen of an unforthcoming supplier has prompted an immediate discussion of how to replace that supplier. The replacement is not always immediate or easy to execute but it effectively ends with the incident. On the other hand, I have seen plenty of instances where a supplier has been very open about the incident and supported the clients’ investigations with a positive attitude. In those cases, the relationship tends to have a far better chance of survival.

I’ve worked with suppliers who take a very proactive approach to reporting incidents to their clients. It’s never a comfortable experience but handled correctly it does build client trust. Everyone understands that things go wrong. Breaches are not evidence of noncompliance.  What is most important is how situations are handled. I have great confidence in some suppliers as a result of the way in which they have handled incidents.  I know I can trust them to work through the situation and they won’t leave us hanging.

Five pointers to ensure suppliers engage

So, what can you do to ensure you reduce your risks of getting blindsided by your suppliers when they encounter a data breach?

First of all, risk assess your suppliers. Then put the appropriate level of measures in place to managing each supplier. Low risk suppliers will need less oversight. Put the most energy into suppliers who could cause the biggest issues for you and your customers in the event of a breach.

  1. Supplier due diligence is key. Make sure the contract is clear about breach / incident reporting obligations and ask to see the relevant reporting processes. If this is high risk for you, delve deeper and ask for evidence of the processes being followed. Do external research or ask to speak to other customers as part of your due diligence process. Don’t be afraid to ask hard questions and look for evidence that they follow their processes. We recommend a formal, repeatable, documented due diligence process is in place during onboarding. Annual check-ups should be carried out at least for high-risk suppliers.
  2. Nurture your supplier relationship. You should have a main point of contact both in your organisation and with the supplier, with regular, minuted meetings. Breach / incident handling should be an agenda topic.
  3. Watch out for warning signs especially where suppliers have a high staff turnover. If you see constant change in the staff you are dealing with, you need to ask about staff training and measures to ensure continuity of service delivery. Your annual due diligence should ask about staff turnover.
  4. Don’t let the small incidents pass. Small incidents can be a sign of bigger potential issues. Make sure you pick up on those small observations and discuss them with the supplier. Keep the pressure up until you are confident that they have been addressed.
  5. Always have a plan B. Heed the warning signs and be prepared to make hard decisions when a supplier does let you down.

When you outsource a processing activity to a supplier remember that you outsource the operations and not the responsibility. Make sure you proactively manage your suppliers – especially where there is a high-risk processing activity. Be aware of where a supplier can fall down and take steps to prevent at least the most common supplier missteps.

If you are looking for help with managing your suppliers or are a supplier yourself looking to avoid the pitfalls, we would be delighted to support you.  Contact Us to discuss your requirements.

 

Join Our Newsletter

Sign-up to receive news and information from Fort Privacy

Fort Privacy processes your personal data in order to respond to your query and provide you with information about our products and services. Please see our Data Protection Statement for further information

AI: THE DOUBLE-EDGED SWORD OF CHANGE

12 June 2024

My personal favourite old Chinese curse, "May you live in interesting times," feels particularly relevant these days. Our world is changing, with both exciting possibilities and daunting challenges emerging on every front. Change, after all, is a double-edged sword. And amidst this whirlwind of change, a new force is rapidly taking shape: Artificial Intelligence.

Crash, Bang, Wallop! What happens when Artificial Intelligence meets GDPR?

07 March 2024

As a technologist, I am both excited and appalled at the developments in AI and it seems from various surveys that I am not alone. My greatest wish is that we can harness its power for good while dampening its power for misuse. It is early days yet – let’s hope this wish comes true!

The Great 2024 GDPR Quiz!

08 January 2024

Everyone loves a quiz so we decided we would kick-off the new year with a bit of tongue-in-cheek fun.

Scroll to top