You think you’re GDPR compliant? If your suppliers aren’t, you aren’t!
If your business relies on third party suppliers to operate, it is your responsibility to ensure their processing activities satisfy the demands of the GDPR.
Should one of your suppliers suffer a breach involving your personal data, if the appropriate due diligence has not been completed, as the data controller, you will be liable and subject to any monetary penalties or processing restrictions imposed by the ICO.
Much of our work at Privacy Helper involves educating firms of the risks of not conducting the required due diligence on suppliers prior to engaging with them. Although the supplier claims they are “GDPR compliant”, very often they are not and many fail to satisfy our stringent due diligence process.
Why are you responsible?
As the data controller, the GDPR states that you assume liability for the processing activities within your business, including your external suppliers – known as processors – and any suppliers they may engage with – your sub processors.
If your suppliers engage with sub-processors to process your personal data, then the GDPR states they must gain your permission in writing – and provide details of their due diligence process. Have yours done this? If not, we can act on your behalf and ask them the right questions.
If either your processor or sub-processor breach your personal data and they fail to notify you, then the regulator would hold you accountable. It is likely that both the supplier company and yourselves would have financial penalties imposed.
Our approach
We offer a THREE stage process to firms who engage with us to ensure their supply chain can demonstrate compliance. These cover operational and organisational compliance, technical and legal compliance, a summary of their wider processing activities.
Stage 1
Working with you, our privacy specialists will create a list of the top 10 suppliers, or top 10% of suppliers (depending on your business size) who are most critical to the business operation or have access to the most sensitive data in relation to the nature of your business. Based on the types of data processed, our team will help you to identify your priority suppliers.
Stage 2
Our team will send a detailed due diligence questionnaire to the supplier, asking them to demonstrate their compliance in multiple areas:
Organisational – including insurance policies held, the data protection and governance framework for the business, and staff training programmes.
Processing – the data protection and data governance framework around the processing activities of the supplier in relation to their wider client base.
Technical – details of their technical certifications, security policies and procedures.
Based on the ability and nature of response to this due diligence document, our specialists will make recommendations to you as to the suitability of the supplier in line with the demands of the GDPR.
In our experience, most businesses are unable to answer all questions on the document, however based on the questions they do answer, we can advise you as to the risks this poses to your business in the event you engage with them. You can then make an informed business decision as to the next move.
This should be considered a critical element to your supplier on-boarding process as their responses will help both of us understand how seriously they have approached their privacy obligations – and how easily they can demonstrate these.
Stage 3
Any organisations you share data with should have a Data Sharing Agreement in place with you. This is a contract that contains specific privacy clauses such as:
How the personal data they process for you should be transferred (internally and externally).
What technical and security measures the supplier should ensure are in place for the storage of personal data.
How the supplier is required to demonstrate compliance.
The obligations of the supplier to react in the event of a breach involving your personal data – timescales, etc.
The support you can reasonably expect the supplier to offer in the event of an investigation of a data breach.
Although you are likely to have an agreement or contract in place with your suppliers, unless it has been reviewed in the last 18 months by a privacy specialist, it is unlikely to include sufficient privacy clauses.
Using the information from the due diligence document, our specialist data protection lawyers will draft an addendum to ensure you are covered in the event of a breach by your supplier.
This means your supplier will be contractually obliged comply with the GDPR in line with your expectations as the data controller. In the event of a breach, they must also provide all reasonable support to ensure you are able to meet your 72-hour deadline set by the ICO.
While reviewing these documents, we can also include Standard Contractual Clauses (SCC’s) to ensure your business is covered for cross-border data transfers in the event if a no-deal Brexit.
Should the supplier fail to maintain their compliance, or their processing activities do not reflect the clauses of their data processing contract they have with you, this becomes a breach of contract – which you, as the data controller are protected against.
In our work, we have come across supplier companies whose service is a perfect fit for the business we are engaged with, however their privacy considerations are a huge concern – and your business will be taking on this risk.
You also need to consider if your business insurance would cover you in the event of a data protection incident with you knowing your preferred supplier wasn’t compliant?
By engaging with our specialists and conducting detailed due diligence on your suppliers, we will help you identify the greatest unknown privacy risks to your business – significant fines have already been imposed by European regulators and our experts could save you from similar action from the ICO.
By engaging with us we can massively reduce the potential risk to your business posed by non-compliant suppliers – and in many cases, working with those suppliers to ensure your privacy concerns are met and the business relationship continues.
What to do next
If you’re in any way concerned about the risk borne from your supply chain – or just a specific supplier that may have been investigated by the ICO on another matter, then call us today.
Simply tell us a bit about the nature of your business, their role in your operation and the type of personal data they process and we will quickly outline the potential risk to your organisation.
If you need our help, then we’ll send a proposal of engagement over and can begin work once this is signed off. Your privacy concerns are our privacy concerns and we’ll do all we can, as quickly as we can to address this.
Why choose us?
Click here to find out why we are the UK’s #1 privacy consultancy.
How much will this cost?
Our pricing structure is simple, straightforward and highly competitive. Head over to our pricing page and take a look at our most popular packages.
What next?
Get in touch via our contact us page, tell us about your business and a member of our team will get back to you.
Other services you may be interested in from PRIVACYHELPER
DPO services
We offer DPO packages to suit your business needs – from a basic advisory service for smaller businesses to integrating ourselves within the operation of larger businesses.
GDPR Consultancy
Our Privacy Team consists of expert data protection consultants in the fields of IT & Technical, Legal, Records Management and Marketing.
Training
An effective, demonstrable training programme can be the difference between the ICO imposing monetary fines – or not, even if your data privacy programme has just started.