Your Suppliers – The Weakest Link in you GDPR Supply Chain?

Under the GDPR, there are two primary types of data user: first is the data controller, the person or company that decide and defines the purpose and data that is collected and processed. Second is the data processor, which is anyone (other than employees or direct subcontractors of the company) who processes the data on behalf of the data controller.

There is nothing particularly unusual in these definitions or indeed the arrangements, except that under the GDPR the data controller remains liable for data breaches that occur even if the data processor is at fault.

What should diligent companies be doing today to ensure that their suppliers are not their weakest link?

First up they should perform due diligence of their suppliers.

Your partners, subcontractors, processors and hosting companies could put you at risk if your supplier has not carried out appropriate due diligence themselves. This is particularly important if access your business’s sensitive company data, employees’ personal data or customers. Breaches involving your data could affect the reputation of your business, ability to operate or even land you in trouble with the Information Commissioner when personal data is compromised.

In 2017, for example, the UK retailer Debenhams confirmed it was contacting 26,000 customers whose data they believe was compromised in their supply chain. The fact is that the supply chain route is often an easier way for intruders to access a company’s data, as many suppliers are smaller and typically less prepared.
To mitigate this risk the first step is to ensure that your suppliers understand your requirements. You need to understand:

• Data purpose
• Your data protection standards and requirements
• Your company’s security standards and requirements

This is particularly important for organisations that are not based in the EEA and therefore may not be as familiar with GDPR as otherwise would be the case.

The second step is to ensure that contracts are in place and are appropriate. The GDPR requires that formal contracts are in place with all of your suppliers and that they document and enforce the requirements of the GDPR for those organisations who are outside of the EEA.

The third step is to hold regular supplier management meetings. Consider holding regular meetings and spot checks to ensure that there are no issues that need to be resolved or emerging risks, which need to be managed before the digital horse has bolted.

The fourth step is to consider making a site visit to suppliers’ offices or data centres to become more comfortable about their security and practices. In turn, if part of their supply chain is important to your relationship, then go one step further and consider a visit to them. We may live in a digital, online world but employing the feet you stand on to get in a car or train to validate suppliers’ security controls should be an effective way of making better-informed judgements with your own eyes!