If your organisation is a data controller under the Data Protection Act 1998 (DPA), i.e. someone who controls the manner and purposes for which personal data is used, then you are responsible in full for your supplier's performance. We look at one real-life example which illustrates why discharging this responsibility is far from straightforward, and illustrate why solving it requires a firm, pan-organisational focus on achieving the right result.
Some food for thought
If a supplier makes a mistake which is a breach of the DPA (the classic example is around security) you are responsible for that breach. In a worst-case scenario, if the Information Commissioner's Office (ICO) investigates, it will be coming after you, not your supplier. It will be your customers and clients who are concerned and contact you and/or complain. The media will be phoning up your press office and PR people for comment.
Against this backdrop you may naturally turn to look at what your supplier contract says. It may feel like cold comfort, but at least you will be able to pass some of the consequences on to the party actually at fault.
Imagine what your thoughts might then be if your lawyers turn around and say the contract you signed up to looked like this from a data protection compliance point of view. (ticks = position compliant with regulator guidance, crosses = non-compliant or high-risk position).
You would be forgiven for reacting with some horror. You might then turn to your other colleagues and ask how you came to be in this position.
How you could end up in this position
If you think the above scenario is far-fetched, think again.
The table above summarises the contractual and due diligence position one organisation of which we are aware reached with one of the biggest global IT suppliers. They had spent months in negotiations and £000's in related costs. They are far from being a small organisation. They had had some of the best lawyers and information professionals on their side throughout discussions, and they are far from lax about data protection and privacy compliance in the base case.
So how did this situation come about?
Our best guess is:
- They ran a procurement process which did not ask appropriate data protection compliance or information security questions.
- They were being advised by IT consultants, who "knew" the relevant suppliers very well, but focussed on the commercial side of things without considering compliance with any real seriousness.
- They did not pause to consider the reputation of their supplier in this area (lets say it has something of a track record)
- The supplier responses they did receive later on privacy questions were general and "sales" orientated, so did not shed any real light on the issues.
- They did not do any proper information security due diligence to dig beneath those responses.
- Their negotiation team did not escalate the risk position internally until the 11th hour, at which point it was very difficult to achieve anything else due to the pressure of business timescales, and consequences of not proceeding.
- They arguably allowed themselves to be blinded by their supplier's brand.
Suppliers are not legal fools
It is important to remember this fact. In the above scenario, the relevant supplier was also well-advised, knew all the relevant legal issues well enough, and had at least equal commercial negotiation power. In some respects they were simply and legitimately defending their own interests.
The catch is that, with negotiations becoming protracted, and with the outstanding issues going unescalated, matters also played into the supplier's hands. At the 11th hour an organisation looking to appoint such a supplier has a very difficult commercial decision to make: ditch the supplier for offering little in the way of legal compliance comfort (where the risks are typically gauged as low likelihood but high impact) but in doing so lose months of procurement and negotiation costs not to mention the costs associated with re-running the entire process and delaying strategic IT initiatives, against the risk of signing up that supplier on such poor terms, knowing that if the worst should happen, you will be left very exposed.
Should wider commercial considerations win the day?
This question is always difficult to answer. Consideration of the relevant issues is always full of "ifs, buts and maybes".
If the IT system in question turns out to be the best thing since sliced bread, if all its users love it, if it delivers its required business objectives in full, and if there no security or other DPA compliance issues actually materialise, then obviously from a commercial point of view the deal would still be a good one.
Conversely, if the system is at best ok, and involves material compliance issues in future, it will be a poor deal all round.
The catch is, if you are the client organisation, you simply won't know for certain which position is likely to materialise. Furthermore, senior executives and/or board directors may legitimately resent having to make such a difficult call, and ask why they ended up in such an awkward position in the first place.
How to avoid this situation in practice
Our top tips are set out below. They are not rocket science. The key message is that up front prevention is better than cure.
- Make sure everyone knows that you take privacy compliance seriously, i.e. the supplier, your stakeholders and advisers.
- Make sure you have a rough organisational view on how to assess data compliance risk appetite, and where your red line sits. Once you draw this line, stick to it (you drew the line for a reason).
- Ensure the right procurement questions are asked early on, appropriately scored in your selection criteria, and the right behavioural standards are set. (This does not have to be an enormously complex undertaking)
- Be clear internally about your privacy compliance expectations, reporting and escalation channels (including related triggers and timescales), especially if using external third parties to advise you.
- Consider if you have any "previous" with the supplier in question. Learn from past problems. If you don't have any past experience, put your feelers out into your industry, but make sure you discuss more than just commercial issues.
- Keep the procurement responses and wider feedback you receive and the behaviours you expect in the forefront of your mind at all times. Make sure your negotiation team know about them.
- Be proactive in raising issues, challenging your supplier, risk reporting and escalation at all times. If you do so, and small points become big issues later on, the chances are you will have given your stakeholders some prior warning. You may also be able to head issues off before they become substantial.
- Don't get blinded by brands and sales language. In legal terms they are all "mere puffs", which beautifully sums up how much worth they will be if things don't go to plan.
- It is a pain, but once you have a deal done, document as simply as possible why it was done the way it was, and any residual risks, mitigants and other actions. If you can aggregate this information, it will give you a steer as to whether you are acting in line with your stated risk appetite, and potentially reveal systemic issues which you may need to tighten up.
Has the supplier really protected their interests?
In the short term, and from a contractual liability point of view, unquesionably yes.
There are other issues at stake though. Once the position set out above is recognised and escalated, a client organisation almost inevitably has a far less positive view of the supplier in the round. They no longer see the relationship as one of genuine strategic partnership, it feels like a far more one-sided proposition. They may also call into question the suppliers' values, especially its openness and transparency.
These are not small points. They have an impact outside of the legal arena, e.g. around the claimed qualities of the system and services themselves.
In such situations, even if a client bites the bullet and proceeds with the deal, the supplier might find itself on a "watch closely" list or even a black list for future deals. If it does, would the supplier feel like its overall best interests had been achieved?