The General Data Protection Regulation (GDPR) is in full swing. Do you know how your supply chain is managing your company’s personal data? Are they fully compliant with the GDPR? If you answered “yes” to these questions, you can rest easily at night. If not, your company may be at risk of a data breach, a hefty fine, or a public relations debacle. Or, perish the thought, all three.
One of the trickiest parts of the GDPR is this: not only is your company responsible for managing personal data according to GDPR regulations, but it is also liable for the personal data in its supply chain. Like most companies, you probably outsource functions to third parties who process data for you, such as payroll, travel, employee health plans, and retirement plans.
As data controllers who can be held responsible for data breaches, you must conduct thorough due diligence on any third parties you engage with to process your data to ensure their processes and procedures comply with the GDPR.
The data processors must maintain records, including detailing the categories of personal data that it processes, a general description of the security measures used to protect the data, and records of any data transfers. When you request it, the data processor must make this information available to you, the data controller, to demonstrate compliance with the GDPR. The processor must also allow you to audit this information, including through inspections. The data processor must also make this information available to the relevant Data Protection Authority (DPA) when the authority requests it.
If you enter into an arrangement with a third party in which both parties determine the purpose and means of processing the personal data you hold, under the GDPR, the third party and you are considered “joint controllers.” If you enter into an agreement with a partner or supplier where you are considered joint controllers, you must define your respective responsibilities for compliance with the GDPR. This must be done with transparency between the third party and you. Regardless of what you agree with the third party, any data subject may exercise their rights under the GDPR against either the third party or you.
Here are the top five things to consider when making sure your company’s supply chain is GDPR compliant:
1. Map your supply chain, identifying each point that requires personal data collection. Personal data includes any information used to identify a person, including name, photo, email address, date of birth, ethnicity, religion, bank account details, purchase history, medical information, or employment history.
2. After identifying the areas of potential risk along your supply chain, make sure the data gathered is GDPR compliant. This includes ensuring suppliers are adhering to the new regulations.
3. You will need to update existing suppliers’ contracts to reflect the GDPR after a review of the currently distributed data to ensure they only have access to appropriate information. For example, an advertising company launching social media campaigns won’t need your customers’ date of birth or bank details.
4. For new suppliers, the contract must detail the data that will be shared, how it can be used, how long it can be kept, and how it will be dealt with when the contract is terminated.
5. In situations where you are a joint controller, you must establish an agreement, between the party and you, and document clearly your respective roles and obligations, including apportioning responsibility and liability between the other party and you. This could include cross-indemnities that would apply where a data subject makes a claim against one of the joint controllers in connection with a data breach by the other joint controller.
Conduct due diligence with all the partners and suppliers you intend to engage to ensure they have the proper security measures in place to protect your company’s personal data. By complying with the GDPR at each phase of your supply chain, you will not only avoid fines for noncompliance, but also be able to give potential customers another reason to select your company over competitors who are less prepared to comply with GDPR.