Effective Data Protection – Managing the Risk Posed by Your Supply ChainPrint publication
In addition to the highly publicised Facebook-Cambridge Analytica scandal, the recent media reports of the data breach suffered by Delta Air Lines highlight the importance of effective data protection controls at all levels of your business, both internally and externally. The breach affecting Delta actually occurred at one of their IT suppliers. The supplier provided online chat services for Delta’s website and the cyber-attack on this supplier may have exposed the payment information of Delta customers. This highlights the importance of managing your supply chain effectively and ensuring that your supply contracts have robust obligations on your suppliers relating to protection of personal data, in line with the impending General Data Protection Regulation (GDPR).
Awareness of General Data Protection Regulation requirements
Given the potential implications of non-compliance, companies need to ensure that all colleagues are aware of General Data Protection Regulation requirements, not just legal and compliance teams. Any employees that engage with suppliers or contractors should appreciate the impact that non-compliance could have on the company and ensure that data protection issues are considered during the contracting process.
Assessment and Audit
In order to take effective steps to ensure compliance with the GDPR and protect personal data it is important to understand exactly what personal data your business holds and how that information is used by both the business and its supply chain. Companies should consider taking the following actions to assess compliance, resilience and security both within the business and the external supply chain:
- Consider what personal data the company holds, where it was received from and who it is shared with (including employees, customer data and supplier data).
- Map out current data processing activities with a view to creating an internal data processing register. In each case there should be a clear, legally justifiable reason for the processing, which should be documented.
- Review existing data protection policies in respect of: handling employee data, customer data, other third party data (such as suppliers and business partners), sharing of any personal data with third parties, data subject access requests, information security and data retention periods. It is also important to ensure that your suppliers are complying with your policy and that you have the ability to review any supplier policies to check that they are adequate.
- Review contracts with key suppliers in which personal data is to be processed to ensure that appropriate obligations are on the parties to comply with the GDPR (article 28 requires data controllers to impose specific obligations on data processors) and that the liability position is appropriate given the potential for much more significant sanctions under the GDPR.
- In addition to negotiating “GDPR-ready” clauses in respect of data protection obligations, companies should also consider re-negotiating clauses relating to audit rights, insurance and exclusions of liability (particularly in respect of any loss of data).
- Consider how and where the consent of individuals is recorded and ensure that there is a clear record of what individuals have consented to.
- Ensure that procedures are in place to enable the business to respond quickly and efficiently to any data breach within the 72 hour deadline for reporting to the supervisory authority imposed by the GDPR. This will include reviewing the obligations on data processors in the company’s contracts with suppliers and/or customers.
- Re-assess the company’s insurance coverage for data breaches and consider whether any changes are required given the exposure to more stringent sanctions under the GDPR.
For further information or assistance with reviewing data processing contracts or managing your data protection policies and procedures, please do not hesitate to contact any member of Walker Morris’ Commercial or Regulatory teams.