Why should I worry about Supplier Due Diligence?

Data Protection compliance is a risky business….

Here at Fort Privacy, we are often asked what the likely consequences for a company are if they don’t do something we are recommending. It’s not an easy question to answer.

Sometimes we explain that the company would be non-compliant with GDPR but what does that mean in reality? It means if you are caught you could be subject to a fine – but that is “if” you are caught and that’s a big “IF”.

We also explain that the company is carrying unnecessary risk but that’s a tough one to quantify. Some companies are very risk averse; others embrace risk a bit too enthusiastically. Most run and hide under a rock hoping that the risk will simply pass them by, or the rock will protect them.

Very few companies really evaluate the risk and come to a formal decision about whether to “carry” the risk and if so prepare to mitigate for that risk should it materialise.

Which is often underestimated, especially in the supply chain…

In our experience, the biggest and most underestimated data protection risks lie in what we call the supply chain – those companies who undertake various services on your behalf that involve the processing of personal data of your customers and your employees.

A huge amount of our effort especially as outsourced Data Protection Officers (“O-DPOs”) is spent helping to manage this supply chain in one way or another – ensuring supplier due diligence is completed, ensuring GDPR compliant contracts are in place, ensuring that the supplier has appropriate Technical and Organisational Measures(“TOMS”) in place.

Every so often, something happens with a supplier that illustrates how important this supply chain really is and how easily suppliers can let their customers down.

Until something happens that helps us understand….

We had one such incident recently which really illustrates how important the supplier – client relationship is when it comes to GDPR compliance and how lacking most relationships really are when it all comes down to the crunch.

A communications service which is delivered as a SaaS based software offering suddenly and inexplicably went rogue and replayed a large number of old communications. In doing so it appeared to have bypassed the software’s controls on limits of communications that can be sent in a given time period. And it ignored key settings such as “unsubscribed from receiving communications”.

So far, not so good. But it gets worse…

It happened on the 31^st of December, but it was the 3^rd  of January before we could raise a support query with the supplier. This was despite the service being available 24x7x365.

When we did get a support query raised (despite having an article 28 compliant data processing agreement in place with the supplier which guarantees response and support in the event of a data breach) we could only raise very basic support from a junior support desk agent who had no knowledge of GDPR or any awareness of the contractual requirements in this type of event.

The supplier has no apparent path to identify an issue as being a potential GDPR data breach. I would hazard a further guess and say that they probably only recognise cyber-security breach events as data breaches – this is an educated guess based on lived experience. We couldn’t find an escalation path to get the issue recognised as time-sensitive and put onto an urgent investigation track.

Meanwhile, we are left managing a potential data breach, with a 72-hour reporting requirement, with one hand-tied behind our back and the other one holding a pastry fork.

The lesson to be learned is that supplier due diligence is important…

We ask tough but important questions as part of the supplier due diligence process. Some of the questions prove contentious – even though from where we are sitting, we don’t think they should be.

Suppliers – especially SaaS providers – don’t like to be asked about data retention and deletion but this incident would not have happened if the supplier had good data retention capability built into their software services. We were diligently deleting user accounts when we got unsubscribe requests, but it turns out this supplier had a weakness. The user account was deleted but some of the user information was retained elsewhere where it could be reactivated while bypassing all the built-in software controls.

Suppliers – especially SaaS providers – like to take a “one-size-fits-all” approach to service delivery. We sympathise, we really do. The economies of scale won’t work if every customer demands something bespoke. It’s why hand-tailored suits cost multiple times more than off-the-peg versions. Our sympathy is qualified with one very important point – if you want to deliver the same service to all your clients all the time, you better get that service right. You should be going over and above with your compliance efforts, and you need to have a dedicated and very expert data protection team and a robust Data Protection by Design and by Default approach in place. This is especially true for all those software services that are built with Personal Data processing at their core.

Finally, suppliers who are entering into Data Processing Agreements which require them to support clients time-sensitive incident investigations need to have processes in place to enable their clients to access appropriate support. This needs to include clear escalation paths and the ability to involve a member of the data protection team for expert support. And the support team needs a clock.

So keep asking those tough questions because they are important…

• It’s important to understand what personal data the supplier is processing and how that personal data is retained and deleted when it is no longer needed. Don’t accept lazy language like, personal data is retained for as long as necessary for the delivery of the service – get under the hood and ask what records are created during the service delivery, how long are each of those records retained and what control you have over ensuring they are deleted when they should be.
• It’s important to know that the supplier has incident management processes that includes the ability to escalate incidents including to the Data Protection Officer when necessary. Ideally, suppliers should have some dedicated support track for data incident related support queries.
• Don’t get fobbed off by the classic line “You are the only client who has ever asked us for this”. This is a classic “Divide and Conquer” technique. Hilariously, we caught a supplier out on this one last year when two of our clients were fed this very line by the same supplier.
• Ask whether employees get Data Protection training – and that’s especially important for offshore support teams. Does the support engineer sitting in Bangalore or the designer in Kuala Lumpur understand the implication of a customer calling in and saying, “we think this is a GDPR breach and it’s time sensitive”.
• Insist that the supplier contractually agrees to a set of Technical and Organisational Measures. Don’t just complete a due diligence questionnaire exercise with the supplier and get a spreadsheet of “Yes we do this” answers. The supplier should be willing to contractually commit to every yes answer on the list.
• Ask if the supplier undertakes independent audits of GDPR compliance. Ask what relevant GDPR certification or technical certification (ISO/SOC etc) can the produce to demonstrate their compliance activities?
• And finally, trust your instincts. If something feels not quite right when a supplier is on their best pre-sales behaviour you should dig deeper. Because when the day comes that you need to rely on that supplier to get you across the line in a crisis, that niggle could cost you very dearly.

The future is bright….

Ending on an optimistic note, the future does indeed look bright with the European Data Protection Board finally approving GDPR Certification schemes in late 2022. At Fort Privacy we feel GDPR Certification is the only way to go longer term – by proving that they meet an acceptable standard in their service delivery suppliers will eliminate the noise of filling in those endless due diligence questionnaires. Their clients will benefit from certainty that the service and all the supports required to deliver the service have been certified as GDPR compliant.

While you are waiting for the GDPR Certified suppliers to appear, keep doing those due diligence exercises and don’t ever let suppliers convince you that you are the only one asking hard questions. I can confirm for a fact that you are not.

 

Learn More about Supplier Due Diligence

If you want more information on Supplier Due Diligence, take a look at Data Transfer Management which is Category 6 of the Fort Privacy Framework.

Fort Privacy will be facilitating a series of workshops in 2023 aimed at helping DPOs to come together and learn from each other. Sign-up for our newsletter below if you are interested in participating in these workshops.