In May 2018 the EU’s new data protection regulation, GDPR will come into force, leaving little room for non-compliant businesses. Below Stephen Bailey, associate director at NCC Group, talks CEO Today through the intricate maze of rules, which mostly focus on transparency, and touches on the potential consequences of non-compliance.
Consider the way in which your business operates – could it happen without suppliers? Bear in mind that this includes absolutely any other business you deal with, from an outsourced payroll company, to a medical insurance provider and even the company that waters plants in the office. The supply chain is key to any business, and when GDPR comes into effect it will be one of the most scrutinised areas due to the sheer volume of data processed as part of it.
In preparation, companies need to know exactly what their supply chain looks like. To do this, they must carry out a full audit of their supply chain to ensure data is being used and safeguarded correctly – something that can be much easier said than done. The way to go about this should be risk based, focusing effort where it matters most from a privacy perspective. Where previous suppliers are known to have collected and processed personal data these should be reviewed to identify areas of high risk that need to be addressed.
There are, of course, some simple steps that businesses can take in order to comply.
What, where and why
First and foremost, it is important to map precisely where data you’re responsible for lies along the supply chain. Once this is established, you’ll need to control what your suppliers are doing with the personal data shared with them.
For new suppliers, the contract must outline precisely what data will be shared, what it can be used for, how long it can be kept and what will happen to it at the end of the contract. For existing suppliers, contracts should be updated to reflect this following a full review of the current distributed data to ensure they only have access to appropriate information. For example, it’s unlikely that a marketing company coordinating email campaigns will need the date of birth or bank details of your customers.
Once the appropriate data has been established, stating within the contract the way in which this data can be used will protect customers from unlawful uses of their personal information. Staying with the example of a marketing email, this would stop a list of customers that have signed up for email communication being added to the distribution lists of other companies.
Contracts must also define a meaningful retention period for a supplier to keep hold of data following the end of a contract, detailing how the data will be destroyed and/or returned at the end of this period. This will vary depending on the nature of the business – a mortgage broker might need to keep data on file for a number of years for legal reasons, whilst it’s unlikely there would be a genuine reason for a milkman to store data following the end of a contract.
Another key element of GDPR is transparency, and achieving this throughout the supply chain is no easy task. The contract is, once again, central to ensuring this happens in practice.
GDPR mandates that every business needs a breach log where any actual or suspected data breaches, whether large or small, are recorded and tracked. There is still some ambiguity around what a breach log must contain, but in preparation for GDPR the general consensus is ‘the more, the better’. As a minimum, reporting on exactly when a breach took place, how it happened, the decision that was made in response and who signed off this decision, will be enough to prove a business is at least attempting to comply. To demonstrate intent beyond mere compliance, companies should link the recorded breach to the steps taken to prevent further breaches.
When developing contracts with suppliers, agreeing access to their breach log is highly recommended in order to have full visibility of any threats to personal data that you are responsible for. In doing so, you are able to monitor for vulnerabilities and flag when a supplier’s cyber security might not be up to scratch. This may be enough to change suppliers to one that has greater security precautions in place, and can avoid falling victim to a severe cyber attack.
Beyond the EU
When collecting data, businesses will be required to disclose why it is needed, how it will be processed, where it will be shared and where it will be stored. It’s highly likely that somewhere along the supply chain your data may be shared or stored outside the EU.
It’s important to note that even if a supplier is not UK-based, if they hold any personal data relating to people in the EU, they will need to abide by the same regulations from 25th May 2018. However, it is your responsibility as the business contracting the supplier to ensure this compliance materialises.
For example, some valet parking services take and store images of cars to note any existing damage using apps. As well as contact details for the individuals, these images will include details of the actual vehicle, such as the number plate, which can be traced back to its owner, and is therefore classed as personal data. Some of these apps are hosted in the US, meaning that they will need to comply with GDPR if they are being used in the EU. However, it is the valet parking service that would need to confirm that the app is compliant.
As we get closer to the enforcement of GDPR, businesses need to be confident that they have built a watertight supply chain – the ICO will accept no excuse for those that fail to do so as there has been two years to prepare. Following these steps will provide a strong starting point, and showing a conscious effort to audit suppliers where guidelines are still vague will further support your position.
The dangers of having a lax supply chain come in the form of major data breaches, reputational damage and potentially devastating fines. Organisations should all be going above and beyond to avoid these consequences and adhere to GDPR, in order to improve their security posture and protect sensitive data from harm. Although it can be a daunting prospect, becoming compliant with the new regulation is easily simplified when approached in a structured, risk based way.