Marie Murphy
Supplier due diligence is one of those exercises we think we will get around to eventually. Even when we get to it, we don’t quite know what questions to ask or how to evaluate the answers we get back. It’s only when things go wrong that the light comes on and we can see how important our supplier relationships are in our overall compliance efforts.
Here’s a real story that illustrates how a supplier can let you down. It shows how the small but important details matter and sadly, that suppliers are often most absent when they are most needed.
Here at Fort Privacy, we are often asked what the likely consequences for a company are if they don’t do something we are recommending. It’s not an easy question to answer.
Sometimes we explain that the company would be non-compliant with GDPR but what does that mean in reality? It means if you are caught you could be subject to a fine – but that is “if” you are caught and that’s a big “IF”.
We also explain that the company is carrying unnecessary risk but that’s a tough one to quantify. Some companies are very risk averse; others embrace risk a bit too enthusiastically. Most run and hide under a rock hoping that the risk will simply pass them by, or the rock will protect them.
Very few companies really evaluate the risk and come to a formal decision about whether to “carry” the risk and if so prepare to mitigate for that risk should it materialise.
In our experience, the biggest and most underestimated data protection risks lie in what we call the supply chain – those companies who undertake various services on your behalf that involve the processing of personal data of your customers and your employees.
A huge amount of our effort especially as outsourced Data Protection Officers (“O-DPOs”) is spent helping to manage this supply chain in one way or another – ensuring supplier due diligence is completed, ensuring GDPR compliant contracts are in place, ensuring that the supplier has appropriate Technical and Organisational Measures(“TOMS”) in place.
Every so often, something happens with a supplier that illustrates how important this supply chain really is and how easily suppliers can let their customers down.
We had one such incident recently which really illustrates how important the supplier – client relationship is when it comes to GDPR compliance and how lacking most relationships really are when it all comes down to the crunch.
A communications service which is delivered as a SaaS based software offering suddenly and inexplicably went rogue and replayed a large number of old communications. In doing so it appeared to have bypassed the software’s controls on limits of communications that can be sent in a given time period. And it ignored key settings such as “unsubscribed from receiving communications”.
It happened on the 31st of December, but it was the 3rd of January before we could raise a support query with the supplier. This was despite the service being available 24x7x365.
When we did get a support query raised (despite having an article 28 compliant data processing agreement in place with the supplier which guarantees response and support in the event of a data breach) we could only raise very basic support from a junior support desk agent who had no knowledge of GDPR or any awareness of the contractual requirements in this type of event.
The supplier has no apparent path to identify an issue as being a potential GDPR data breach. I would hazard a further guess and say that they probably only recognise cyber-security breach events as data breaches – this is an educated guess based on lived experience. We couldn’t find an escalation path to get the issue recognised as time-sensitive and put onto an urgent investigation track.
Meanwhile, we are left managing a potential data breach, with a 72-hour reporting requirement, with one hand-tied behind our back and the other one holding a pastry fork.
We ask tough but important questions as part of the supplier due diligence process. Some of the questions prove contentious – even though from where we are sitting, we don’t think they should be.
Suppliers – especially SaaS providers – don’t like to be asked about data retention and deletion but this incident would not have happened if the supplier had good data retention capability built into their software services. We were diligently deleting user accounts when we got unsubscribe requests, but it turns out this supplier had a weakness. The user account was deleted but some of the user information was retained elsewhere where it could be reactivated while bypassing all the built-in software controls.
Suppliers – especially SaaS providers – like to take a “one-size-fits-all” approach to service delivery. We sympathise, we really do. The economies of scale won’t work if every customer demands something bespoke. It’s why hand-tailored suits cost multiple times more than off-the-peg versions. Our sympathy is qualified with one very important point – if you want to deliver the same service to all your clients all the time, you better get that service right. You should be going over and above with your compliance efforts, and you need to have a dedicated and very expert data protection team and a robust Data Protection by Design and by Default approach in place. This is especially true for all those software services that are built with Personal Data processing at their core.
Finally, suppliers who are entering into Data Processing Agreements which require them to support clients time-sensitive incident investigations need to have processes in place to enable their clients to access appropriate support. This needs to include clear escalation paths and the ability to involve a member of the data protection team for expert support. And the support team needs a clock.
Ending on an optimistic note, the future does indeed look bright with the European Data Protection Board finally approving GDPR Certification schemes in late 2022. At Fort Privacy we feel GDPR Certification is the only way to go longer term – by proving that they meet an acceptable standard in their service delivery suppliers will eliminate the noise of filling in those endless due diligence questionnaires. Their clients will benefit from certainty that the service and all the supports required to deliver the service have been certified as GDPR compliant.
While you are waiting for the GDPR Certified suppliers to appear, keep doing those due diligence exercises and don’t ever let suppliers convince you that you are the only one asking hard questions. I can confirm for a fact that you are not.
If you want more information on Supplier Due Diligence, take a look at Data Transfer Management which is Category 6 of the Fort Privacy Framework.
Fort Privacy will be facilitating a series of workshops in 2023 aimed at helping DPOs to come together and learn from each other. Sign-up for our newsletter below if you are interested in participating in these workshops.
Sign-up to receive news and information from Fort Privacy
Fort Privacy processes your personal data in order to respond to your query and provide you with information about our products and services. Please see our Data Protection Statement for further information
As a technologist, I am both excited and appalled at the developments in AI and it seems from various surveys that I am not alone. My greatest wish is that we can harness its power for good while dampening its power for misuse. It is early days yet – let’s hope this wish comes true!
Everyone loves a quiz so we decided we would kick-off the new year with a bit of tongue-in-cheek fun.
Continuing the tradition of the Fort Privacy Christmas blog this year we are thinking about Santa and AI. Well, we need to keep these articles topical after all!
