Love.Law.Robots. is moving!
You're browsing the original version of the Love.Law.Robots. Check out the new site. It's prettier and packs loads of new features!
Assessing the Privacy Risks of your Vendors
`What keeps the privacy professional up at night? The usual answer is idiot employees. However there is another kind of person you cannot control, and they are the ones who are likely to cause a data breach too. If you have not realised who yet, add these guys to your list — vendors.
Introduction#
One of the key lessons in the SingHealth data breach is that vendor management is an important aspect of managing your privacy risks.
[W]here the data processing activities are carried out by the organisation’s external vendor, the organisation has a supervisory or general role for the protection of the personal data, while the data intermediary has a more direct and specific role in the protection of personal data arising from its direct possession of or control over the personal data. Singapore Health Services Pte. Ltd. & Ors. [2019] SGPDPC 3 at [57]
In the SingHealth case, the organisation’s vendor, iHiS, failed to adhere to many of its data security policies and procedures leading to a data breach. This included using a simple password on an administrator account, not turning on firewall rules and unpatched software. The highest financial penalties totalling $1 million to date were meted out to both SingHealth and iHiS.
So how do you know whether a vendor is going to pull off a stunt that would cause you sleepless nights?
Effective due diligence #1: Assess the privacy risks your vendor may pose#
The world is a complicated place. There’s a lot of pressure to do things fast. You might be alone and wondering whether you should just get this done and over with. Privacy or data protection compliance isn’t high on the list.
It is therefore important to now stop and listen. “Privacy by design and default” sounds like a fancy term, but it is really a risk assessment. Go through the following questions in your mind.
- What kind of personal information will the vendor come in contact with? A vendor that will not process any personal information does not require much due diligence. A vendor which comes into contact with sensitive personal data requires far more scrutiny.
- Is the personal information requested necessary? If the vendor is asking for unnecessary personal information, consider negotiating the amount of personal data transferred to the vendor. You can certainly reduce your exposure this way.
- Is the personal information requested unusual? Processing data for customer trends is normal for a data analytics firm. Processing employee data to identify potential rule breakers? Hold your horses! A new business model is far more risky than an established one. If the vendor appears clueless when data protection is a key risk in their business, then this vendor does not inspire confidence.
Hopefully these pointers can help determine how much time and effort you should spend on a vendor. They inform the rest of the parts like how should the contract be worded and providing roadmap to what answers you need from the vendor.
Effective due diligence #2: Insert appropriate privacy clauses in your vendor contract#
The primary means by which an organisation may protect personal data entrusted to its vendors is through a contract.
The contract has many important uses.
- It provides legal liability for any non-compliance by the vendor. This should make your vendor sit up and evaluate its obligations carefully. The contract should also have an indemnity clause. This would help you to shift the liability to the vendor in the event of any non-compliance, especially if you have to deal with claims or complaints from the authorities or customers.
- It lets you set out the roles and responsibilities of each party in writing. If the vendor is responsible for the data security of its own services, the contract should say so. If you would like to audit the vendor, the contract should say so too. PDPC decisions such as the CDP Decision show that a clear demarcation of roles and responsibilities can mean the difference between whether you join your vendor in being held accountable by the PDPC.
- It sends out the signal that you care about data protection or privacy. A vendor is more likely to change its practices if the customer is telling them to do so. There is another audience for this too: the regulators. In the SingHealth case, the demarcation of duties and details in the contract were important in finding SingHealth to be less liable
In the process of negotiating these terms in the contract, you can test how important data protection is to the vendor through their responses to you. A great response is proactive and knowledgeable. A not so good response lacks confidence and is confusing. A disturbing response is no response at all!
Effective due diligence #3: Check its privacy notice and other public information#
That’s right. Google it.
The vendor’s representative might be doing his sales pitch. This customer just has GDPR panic syndrome, so let’s calm them down to get the contract. It’s best to cross reference with something objective.
Here are the points you can learn from a vendor’s website or other public information.
- Do they even have a privacy policy: In some industries, the impact of data breaches might not be felt. However if you belong to an industry where privacy is a big risk such as healthcare, IT or HR, not having a public privacy policy is like burying your head in the sand.
- Check out their privacy policy. Check for a cookie cutter policy stolen from somewhere else. Such policies shows that the vendor doesn’t recognise or understand their obligations. Compare with this gold standard: the privacy policy reflects the nuances of its business and products.
- Look for data security certifications: If you are dealing with a cloud service, data security certifications are the norm. However, most organisations I am aware of have not signed up to this, so this is certainly a highlight. The best know standard is the ISO/IEC 27001. Other relevant certifications include ISO 27552 and Data Protection Trust Mark. Ask the vendor for such certifications, if necessary.
- Look for bad news: Data breaches still make the news these days. Check whether your vendor is involved in any such news. Bad news can also be from other aspects of the vendor’s business too. For example, do they use vendors or services that are vulnerable?
Conclusion#
Not every vendor requires an in-depth analysis of their privacy risks. Furthermore the privacy professional’s time and resources is limited. Not every vendor is going to be perfect, so you will find something if you look for it. Planning ahead and being familiar with the vendor will help you to allocate these resources carefully. Finally your efforts to ensure compliance will be continuing, so this is really the first step in the journey.
PROTIP: If you have spent some time dealing with privacy risks of a vendor, you should complete a data protection impact assessment. Don’t let all your effort go to waste by not recording it!
Did I miss out anything? Feel free to comment if you have anything to add or if you have another approach to risk assessment.
Update (7/8): Added more examples of certifications you can look out for.