Yes we know it may appear to be a bit of a stretch, but there are some very valuable lessons for the privacy sector to be drawn from the recent horsemeat crisis, not least around supplier management, due diligence and contract terms.
Fundamentally, the horsemeat problem has spun from outsourcing and supply chain management. Whilst the full facts are still emerging, it appears that some of the UK's largest food retailers and manufacturers thought they were dealing with reputable third party organisations, placed their trust in them, and in some cases leant their name and reputation to their products.
This trust now appears to have been heavily misplaced. It has spawned gaps in otherwise complex and thorough due diligence processes, which at best have allowed complacency in supplier organisations, and at worst have been exploited by the unscrupulous.
Whilst legally the problem in many cases may lie with the food manufacturers implicated, and not necessarily with the retailers, all organisations involved are being tarred with same brush.
It remains to be seen whether consumers will change their behaviours to any material extent. Most organisations won't be willing to take the chance though. With the all-important aura of trust that people place in their food having been tarnished, the food industry, not to mention the UK, French and Romanian governments is spending a lot of time, money and effort in minimising the fall-out.
How does this position link to the privacy world?
As readers of this blog will be aware, the world of personal data and privacy compliance is also built on outsourcing and supply chain management.
Cloud and "big data" services providers, web and app developers, digital marketing agencies and HR consultancies (to name but a few potential suppliers) all handle organisations' personal data in increasing volumes, with increasing sophistication, and with ever greater insight into the lives and behaviors of individuals.
Furthermore, an organisation does not always directly control its sources of data supply. Data is often fed into an organisation from other third parties, for example from social networks, partner marketing databases, or perhaps regarding fraud, credit history and online behavioural preferences.
Every supplier has the potential to create great benefits, but also pollute. For an organisation gathering personal data and appointing suppliers for its own purposes, any such pollution is a material risk. It has all the legal compliance obligations under the EU's Data Protection Directive and UK Data Protection Act 1998, and is responsible for its supplier's mistakes. In a worst-case scenario, other organisations might be implicated but this will be cold comfort when the data controller is worrying about its own customer's reaction, and having to deflect direct questions from the Information Commissioner's Office (ICO) and potentially other regulators.
Most importantly, an organisation's data protection and privacy compliance is only ever as strong as the weakest link in this chain. As in the food sector, if an organisation has sub-contractors to the sub-contractors of its direct supplier, it may be the smallest sub-contractor, two steps removed from any direct relationship, who is the potential bad guy, the weak point, the source of horsemeat.
With modern cross-border procurement and data-flows, that sub-contractor could be anywhere in the world, potentially in a jurisdiction which does not have the same views on protection, accountability or even contractual enforcement, making any kind of recourse rather problematic.
Furthermore, the threat is real. Only last week Trustwave (an information security provider) released the preliminary conclusions from their latest research in this area. According to Trustwave some 63% of all suspected data breaches they looked at were caused by outsourced suppliers - not an encouraging picture.
So what is the solution? How should an organisation appoint a supplier or partner?
We are often asked how best to address such issues.
The classic legal answer is to state that the Data Protection Act 1998 requires organisations acting as data controller to only appoint third parties who provide "sufficient guarantees" regarding the protection being afforded to personal data, and to get a written contract in place.
What constitutes "sufficient guarantees" is obviously open to some question.
In general it is a matter of having good procurement selection criteria covering off all relevant privacy issues and adhering to them rigourously. If this is done, the procurement exercise won't then get upset by the lawyers asking awkward compliance questions at a later date.
The criteria then need to be backed up with initial and ongoing due diligence especially around security, to make sure a prospective supplier or partner not only makes the right noises to give the impression of compliance, but also walks the talk in practice both now and in the future. Physical site visits and face to face interrogation of real people are obviously preferable to obtaining purely paper-based answers, so an organisation can read the whites' of its supplier's or partner's eyes and their body language. This world should be familar to all seasoned information security and procurement professionals.
Such up front caution is then backed up with the written contract, which should cover off:
- The purposes for which the personal data can be used.
- Security and business continuity measures to be adopted.
- Compliance with the data controller's instructions.
- Subject access and breach co-operation.
- Assurances on the sources of any other data being fed into the mix.
- Restrictions on foreign transfers, or if these are to be permitted, provisions dealing with the relevant regime under which transfer is being done (the subject of another blog post).
- Controls over the appointment and sharing of data with other organisations including flow-down of contract terms to any permitted sub-contractors.
- Ongoing audit rights.
- Return and destruction of all relevant data on exit.
- Related liability and indemnity issues.
- Related termination rights.
What happens in practice?
The response set out above will only get an organisation so far.
In the real world, few if any organisations have a bottomless pit of resources to investigate and audit all chains of suppliers and their sub-contractors on an ongoing basis, and to sustain the protracted legal battles that can be involved in negotiating full contractual protections (indeed many suppliers will not give fully compliant contracts, no matter how strong an argument one may have).
Whilst it should be used in all cases, in practice the above approach is often therefore treated as a gold standard, to be reserved for the most important of relationships.
This position raises further questions though. How does one identify the most important of relationships? What is the fall-back position for lesser ones?
To answer these questions, privacy considerations obviously have to be put in an organisational context, a risk-weighted view has to be taken, and resources have to directed proportionate to the risk.
From a legal standpoint, it is vital to remember that:
- In terms of privacy risk, the size of a deal in terms of value is only one guide; small, perhaps relatively insignificant arrangements can have material privacy consequences especially in the marketing and HR space if a supplier has access to an entire CRM or employee database. A small supplier may therefore present risks that are disproportionate to the amount of money changing hands. This position can be a source of frustration and misunderstanding for internal stakeholders, who may see compliance as an undue burden or blocker on "getting things done".
- There are nuances around what we mean by "risk". The risk of breaching the Data Protection Act 1998 is one potential approach, but the ICO does not treat all breaches the same. Any risk-assessed approach should take this into consideration.
- Some relationships can have material reputational repurcussions for an organisation, even if the organisation does not, technically, have all or even any of the associated legal liability.
- Big, trusted suppliers do make mistakes (and can be the most challenging counterparts with which to achieve a compliant position).
- Strictly, there is no "fall-back" position. A position is either compliant or it is not.
That said, the most significant ingredient in rolling out a successfull risk-based approach is an organisation-wide compliance culture.
An organisation needs to have the willingness to really understand its data resources and relationships and rate them relative to one another, encourage staff to recognise, call out and treat seriously the issues when they see them (itself a product of decent knowledge and training), impose meaningful organisation-wide processes and controls, and review its entire position from time to time.
If it does not, its approach will only ever be ad hoc and not systematic. Unintended gaps will creep in, and some material relationships will inevitably escape scrutiny: and as we have recently seen, material gaps can result in horsemeat.This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.