While most businesses now have privacy policies in place and an awareness of how to manage their customers’ personal data on their own systems, we are still seeing many businesses that are relatively unaware of their data protection obligations in supply chains.
Just as there is a supply chain, there should also be a corresponding data compliance chain which should form part of each contract negotiation. It can become quite a technical exercise to ensure that controllers, processors and sub-processors each comply with their contractual obligations as these are designed to create a secure chain.
Data protection obligations
Data protection legislation in the UK and the European Economic Area (EEA) requires data controllers to undertake due diligence on parties they appoint as processors or share personal data with. This means that data controllers should use only processors that can demonstrate their internal compliance, document the security of their IT systems and implement appropriate technical and organisational measures, as required by the General Data Protection Regulation (GDPR) to protect data subjects’ rights.
However, there is no clear definition of “technical and organisational” measures. The best advice is for parties to discuss and agree what the appropriate measures are for their contract purposes, and what that looks like for their purposes.
If measures are not adequately recorded in contracts, it will be difficult for the controller to show they have properly conducted due diligence. It will also be difficult for the controller to verify their compliance in audits. Article 32 of the GDPR sets out the standards required for security in data processing.
A data controller sharing data collected should be careful to document each time they share datasharing, whether it is with another data controller or with a data processor. This will mean finding out whether they are each a data controller or whether one is a controller, one a processor.
Sharing personal data with another controller doesn’t mean losing control over personal data entirely – a data sharing agreement can be very specific as to how data is used.
What your business can do to improve data protection compliance
Every stakeholder in the supply chain has their role to play in protecting the personal data of their customers, employees and business partners. The exchange of employee contact details between contracting partners also falls within this legislation, as work email addresses or telephone numbers are personal data. Therefore, it is not only the personal data of customers that needs protection but also that of employees.
Data protection legislation is more than ensuring general awareness and training of employees, although human error is the most common cause of a data protection breach. Nonetheless, good data protection compliance practice is vital. These measures might involve:
- Development of policies
- Password systems and authentication
- Management of different access categories
- Different databases
- Annual reviews and questionnaires to employees on issues they have with data protection in their roles.
Most importantly, data protection legislation doesn’t stand still – we have seen a lot of change in the practical steps contracting parties in the supply chain need to take to achieve compliance over the last two years. Firstly, Schrems (Privacy Shield), then Brexit, then new European SCCs and now the new UK IDTA.
In the meantime, in other areas of the world, new data regimes have been developing to achieve adequacy under the GDPR. Our experience is that data protection is an increasingly complex area that most businesses must engage with in their supply chain, particularly as ecommerce and e-services continue to grow.