LET’S TAKE A REAL-LIFE EXAMPLE SO YOU CAN SEE HOW THE PROCESS WORKS
Last month I was asked to help evaluate some options for desktop communications tools that a client wanted to introduce into their business. Before we ever asked for a product demo, I went onto the websites of the three tools that my client was interested in evaluating.
One of the privacy statements talked about PII and personal data interchangeably. It had some definitions at the start of the statement and then about half-way through some more definitions including a repeat of an earlier term with a new take on what it meant. My educated guess was that the statement was cobbled together from at least two sources.
Here lie some tell-tale clues that the company had not taken any professional advice. Chances are as a result they have made fundamental mistakes in their compliance program which would take us time and effort to iron out with them.
It also told me that the company probably does not take compliance as seriously as they should. It could be folly to enter a relationship with them as a processor because they may not be capable of responding adequately to a data breach or supporting any data subject access requests we receive. That could tarnish our client’s reputation and it’s a risk not worth taking.
Another privacy statement talked about being a “joint processor”. So, we all know that’s not a thing. Here’s a helpful indicator that my client would be facing into an uphill battle and spending time and energy negotiating data processing agreements from first principles because what are the odds their data processing agreement (if it exists) will identify them as a joint processor. That supplier played in a busy market with lots of competition and guess what, they didn’t make the shortlist for assessment.
It’s worth putting some time and effort into your privacy statement because for us privacy professionals it’s a shop window into your compliance program. It provides some useful clues about when it’s worth continuing to evaluate a potential supplier and when it’s better to walk away often before they even know we were interested.