The latest UK Data Protection Index report, produced jointly by The DPO Centre and Data Protection World Forum (DPWF) and based on a quarterly survey of approximately 500 UK privacy professionals, has bucked the rather negative trend that had been developing over the last 12 months. Rob Masson, CEO at The DPO Centre explains that, in a welcome turn of events, “UK privacy professionals appear to be gaining back their confidence both in their organisation’s own compliance and the strength of the UK’s data protection laws.”
When asked how they perceive the UK’s data protection laws in comparison with other countries’, 53% of respondents scored the UK’s laws an 8 out of 10 or higher (10 being “well ahead of others”), which was up from last quarter’s results. Similarly, when asked to rate their organisation’s level of compliance, in five of the seven areas listed, DPOs rated their organisations’ higher than last quarter.
Interestingly, the two areas in which confidence has dropped over the last three months are the two areas in which confidence was lowest anyway, suggesting that these are areas consistently presenting an issue for compliance. What were they? I hear you ask. The answer: retentionIn data protection terms, a defined period of time for which information assets are to be kept. and vendor due diligence.
Retention has been an area of concern for some time, and we published a blog about the challenges it presents back in July 2021. Vendor due diligence, on the other hand, is something we have yet to dive into, that is, until now.
Importance of Vendor Due Diligence
Organisations are now outsourcing increasingly more of their business processes, and sometimes whole business functions, to third party providers. This is beneficial for a number of reasons (see our outsourcing blog here), but there is also an inherent risk attached that is always present when you share personal dataInformation which relates to an identified or identifiable natural person. with another organisation for which you are responsible. Given that supply chains are far more complex now, when you share personal data with one processor, it is almost always also being shared with the processor’s sub-processors and their sub-processors and so on.
Whilst you are in control of the measures your organisation has in place to protect the personal data you processA series of actions or steps taken in order to achieve a particular end. in your own systems from data breaches and inappropriate use, ensuring that this same level of protection extends to the vendors you choose to work with is another matter. With any third parties who process personal data on your behalf, you should always have a Data Processing Agreement that complies with Article 28 GDPR, however, actually getting them to implement appropriate technical and organisational measures to keep the data safe, and the same for their sub-processors, is more of a challenge. At the end of the day, a signature on a piece of paper won’t, unfortunately, guarantee that this is the case. Under the EU and UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU., data controllers can be held responsible for the compliance (or non-compliance) of their processors, so choosing ones that are compliant with data protection laws at the outset can save you headaches down the line. Enter, vendor due diligence.
When considering which vendors to engage with, conducting due diligence and comparing the results is a great way to narrow down your search for the perfect vendor. In addition, in the event that one of your vendors was ever to experience a data breach that affected your personal data or systems, having a robust vendor due diligence process can help to evidence that you took appropriate measures when considering which vendors to engage with, which may save you some heat with the regulator. It is no wonder, then, why back in December 2020, 81% of panellists on the UK Data Protection Index agreed or strongly agreed that more due diligence between controllers and processors should be undertaken.
Ensure clear communication channels
In big organisations especially, half the battle with vendor management is knowing when an area of the business is planning to engage with a new vendor and triggering the due diligence process. It is therefore essential to ensure that all staff involved in procurement of vendors are aware that due diligence needs to be undertaken, and who to inform when this is the case. Furthermore, due diligence should be undertaken at the outset, before any contract is signed, so making sure people know to inform the right people at the beginning of any new project is vital for ensuring it doesn’t cause any delay.
Tier your vendors
Not all vendors are created equal. Different vendors, depending upon their size, maturity, the services provided, and the personal data involved, present different levels of risk to your business. It is therefore important to take these factors into account when determining the level of due diligence required. Whilst you should still do your due diligence on huge corporations such as Google and AWS before merrily handing over your personal data, there is no way you can send them a supplier questionnaire and expect them to actually respond. However, organisations such as these will have more mature compliance frameworks and usually publish a lot of useful information on their websites which can help you to assess their suitability. Conversely, smaller suppliers with less mature compliance frameworks will require more detailed investigation before they can be confidently engaged with.
When considering what level of due diligence is appropriate, you should also think about the type and amount of personal data you are sharing with them and whether they have access to any of your systems. Needless to say, the more personal data of yours they process, and the more sensitive it is, the higher the bar needs to be set in terms of due diligence and standards expected. Similarly, third parties for whom you are allowing access to your own systems to provide their service require much more detailed vetting than those who process your data but on their own systems as the risk profiles of the two setups are vastly different (for an example of the former, you only need to Google “SolarWinds hack” to see the devastation it can cause). The moral of the story? Assess the type of vendor and the level of risk presented by the processing, and then determine how deep you need to dig.
Use your Info Security Team wisely
Due diligence is mainly about ensuring that the vendors you work with have in place appropriate technical and organisational measures to protect the personal data that you are going to share with them, and whilst this is derived from data protection lawAny law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) that relates to the protection of individuals with regards to the Processing of Personal Data., getting into the weeds regarding what exactly those measures should be is a job for your InfoSec team. From a data protection standpoint, we simply need to know whether the vendor poses any security risks to us and our personal data, and where the data is located and therefore decide if a transferThe movement of data from one place to another, this could be, for example, from one data controller to another, or from one jurisdiction to another. mechanism for data sharing needs to be implemented.
Ultimately, it comes back to the 7th principle of the GDPR: AccountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance.. This means not only saying you comply but demonstrating your compliance. Getting a third party to sign a piece of paper agreeing to a certain standard of data protection is one thing, but really you need evidence of exactly what they are doing in order to prove to a regulator that more than lip service is being paid to the GDPR’s requirements. Third parties don’t just need to talk the talk, they need also to walk the walk.
If you would like any advice on conducting vendor due diligence, or anything else data protection related, please get in touch through the form below.
Fill in your details below and we’ll get back to you as soon as possible