Blind Trust or Due Diligence? Managing Supplier Risks Before Disaster Strikes

Although Data Processing Agreements (DPA’s) are legally required as per Article 28 of GDPR, and are essentials to set the minimum requirements for data processing by third party suppliers. Operationally, DPA’s are certainly not enough to secure proper data protection and compliance of vendors during the run-phase of the contract unless accompanied by a robust Supplier Compliance Framework that ensures proper monitoring for clear compliance requirements, reporting, and continuous assessments.

Why? It almost always boils down to cost of resources! Processors are not always eager to invest in experienced compliance resources because compliance is not not directly connected to profit generation like sales and marketing but rather to risks that are in many cases overlooked and not always transparent to top management.

With lack of investment in compliance resources, due to failure of companies to see the ROI of a robust compliance team, everyday many organizations expose themselves and their customers to operational, legal, security, repetitional and financial risk. Abundance of updated examples of such data protection fines from various EU jurisdictions are available in this GDPR enforcement tracker.

Therefore, a comprehensive Supplier Compliance Framework with indemnity clauses should be negotiated and aligned by the compliance teams as a part of the Master Service Agreement (MSA) in the initial stages of suppler selection and due diligence phase and certainly before any contract is signed.

The aim of the such an agreement is to ensure that the supplier will adhere to the compliance requirements agreed upon in the due diligence phase whether privacy, information security, enterprise risk or business continuity related, etc.

To make the ROI more concrete for suppliers to take compliance seriously and dedicate sufficient resources that have the capacity not only to work throughly but proactively with compliance requirements, it is essential for the Supplier Compliance Framework to have liability clauses that would indemnify the Data Controller for discrepancies with regards to the timely execution of compliance requirements set in the Supplier Governance Framework and DPA.

For example, one condition would be to contractually limit the resolution times to security vulnerabilities resulting from penetration testing and connect that to a liability. I have seen a situation where an ISO27001 certified supplier processing lots of sensitive personal data informing their customer (data controller) that they need 3 months to close several Critical and High classified vulnerabilities in a disastrous pen-test report that was shared with the customer a month after its date. In this contract, if the resolution time was connected to a liability the supplier would have closed the findings within a reasonable amount of time.

What else should be included in the Supplier Governance Framework?

- Pre-agreed Audits, Risk Reporting, and Pen-Testing: Regular, Planned audits by certified third-party auditors force the provider to keep the promises and standards agreed to during the initial negotiations, especially when combined with contractual penalties for exceeding the agreed resolution timelines.

- Structured Meetings with Defined Roles and Accountabilities: Conducting structured meetings with clearly defined roles for participants from both parties fosters proactive communication and coordination. Such meetings may include Compliance and Commercial committee, and Service Delivery reviews, with established escalation paths for unresolved issues. The frequency and depth of these meetings should align with the contract's importance.

- Risk Reporting: Comprehensive risk reports are crucial to assess various aspects of a supplier’s health, such as business continuity, financial stability, and potential operational risks. Monitoring these factors ensures that organizations remain informed and can act swiftly to address any emerging concerns that might impact their reliance on the supplier.

The Bottom Line

Implementing a proactive and well-structured approach to supplier governance and data governance enhances compliance, minimizes risk, and reinforces organizational resilience. Building a comprehensive supplier framework under the MSA from the outset sets clear expectations and ensures adherence to negotiated standards. Establishing clear responsibilities, maintaining communication between compliance teams, and employing consistent audits and reports foster trust, accountability and secure data management in an increasingly regulated environment.