Are you at risk from your suppliers mishandling data breaches?
I’ve seen a few suppliers make classic errors dealing with breaches in their client’s data. Here are the top three errors suppliers make and 5 suggestions to avoid them!
In a well-established annual tradition, we are checking in with Santa and his team of magical elves and reindeer just to see how his GDPR compliance programme is evolving.
Santa has been rocking GDPR compliance for the last few years. We are not surprised really. After all, it’s in his DNA to keep his operations private.
Santa gets that by protecting the personal data of all the boys and girls on his route on Christmas Eve he’s not just protecting their rights – he is also protecting the Magic of Christmas. Santa’s gift to the world is his reputation as Father Christmas and he understands that getting his GDPR compliance right delivers more than a compliant North Pole Workshop operation. It protects Santa’s reputation as the great guy who can be trusted to deliver a little bit of Christmas magic every year.
Last year, if you remember, Santa cracked his cookie problem. Well one of his cookie problems. The other cookie problem - well let’s just say its Rudolph who eats all the carrots on Christmas Eve!
This year he is looking to future proof his operations. Santa is getting certified!
An EU Approved Data Protection Certification mechanism is not quite there yet but it’s coming, and Santa has decided that the time is right to add it to his strategic goals
GDPR and Certification – what’s the story?
Articles 42 and 43 of the GDPR pave the way for GDPR Compliance Certification, seals, or marks:
The Member States, the supervisory authorities, the Board and the Commission shall encourage, in particular at Union level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors.
The European Data Protection Board (“EDPB”) was very quick off the blocks in 2018 issuing early guidelines but as of December 2021 there are no formally certified European GDPR Compliance Seals. Word is that we are getting closer and 2022 will be the year that some of the first EDPB approved EU-wide GDPR certification seals will finally be available.
So why is Santa keen to see certification seals emerge?
Well first off Santa is processing Children’s data at scale. Santa has welcomed the Irish Data Protection Commissions work on the Fundamentals for a Child-Oriented Approach to Data Processing. He is in favour of the principle that Children’s data should be afforded additional protections and he wants certainty that his workshop is hitting the standards he expects.
Santa is thinking about certifying his own North Pole operations for his own peace of mind and to protect his hard-earned reputation with his small customers and their parents.
He knows he is running his Santa’s Workshop operations in the North Pole as a tight ship and his DPO Elf is a reliable fellow, but Certification is going to bring an extra level of comfort.
The discipline of preparing for the rigours of a certification exercise will bring his compliance to the next level. The certification itself is an independent verification that goes well beyond the DPO Elf reassuring him that “Everything is good Santa!”.
Certification helps to verify the supply chain
Now Santa has a pretty complicated supply chain. I know the party line is that everything is made in Santa’s workshop, but truth be told, its as much as the elves can do to keep up with the deliveries and get everything on the sleigh in time.
Santa is looking forward to dealing with Certified suppliers because its going to solve one of his main supply chain worries – how can he really assess whether his suppliers are compliant? Santa knows that there will be consequences for the North Pole Operations if he is dealing with suppliers who aren’t taking GDPR compliance as seriously as he does. One weak link in his supply chain can have serious implications.
Santa does his best to vet his suppliers but let’s be honest Santa’s skills lie elsewhere. He can check a Data Processing Agreement (“DPA”) with the help of his DPO Elf and they have a pretty good due diligence questionnaire for his suppliers. This helps deliver some comfort, but a really deep supplier verification exercise requires more, and Santa always worries that he just doesn’t have the skills to spot the weaknesses in those due diligence responses.
With time and expertise under the enormous pressure of an unmovable annual deadline Santa knows that Certification would do a lot of the heavy lifting for him..
Let’s make a list….
What are the benefits of certification for Santa and his suppliers?
If you are a supplier to Santa’s North Pole Workshop operations – well, you know what is on Santa’s present list for 2022!
Marie Murphy and Tricia Higgins are experts with the Europrise Certification Seal which recognises privacy compliance of IT products and IT-based services with European data protection regulations. The Europrise certificate aims to facilitate an increase of market transparency for privacy relevant products and an enlargement of the market for Privacy Enhancing Technologies and finally an increase of trust in IT.
Sign-up to receive news and information from Fort Privacy
Fort Privacy processes your personal data in order to respond to your query and provide you with information about our products and services. Please see our Data Protection Statement for further information
I’ve seen a few suppliers make classic errors dealing with breaches in their client’s data. Here are the top three errors suppliers make and 5 suggestions to avoid them!
The General Data Protection Regulation is “risk” based legislation. This means that the protective measures an organisation implements should correspond to the level of risk associated with their data processing activities. It’s worth noting that the risk that should be considered here, is the risk to the data subject as opposed to risk to the business of non-compliance.
Data Protection Programmes are all the rage these days. It’s great to see the compliance conversation moving in this direction. As a Data Protection Officer (DPO), I know the difference between working with a solid data protection programme and working with none and all.