Companies vary in how they work with their suppliers. A consequence of the information age is that we’re sharing more and more information. Where sensitive information is exchanged, it is important that responsibility for cyber security is also shared. Without agreements and a clear understanding of each company’s security role, your supplier could become the weakest security link in your ecosystem.
This is especially important when it comes to personal information. The General Data Protection Regulation has introduced very strict obligations on all companies that handle such information. It also gives the authorities the power to impose hefty fines in the event of a breach. If you hold or share personal information then you and, by extension, your suppliers are responsible for its safety and confidentiality.
Consequences of a breach
Think about the damage a well-publicised leak could do to your organisation. First of all, you were entrusted with the information, so you are immediately seen as less trustworthy. This, in turn, impacts your reputation. This, in turn, affects your ability to win business which, in turn, drops it into the lap of your competitors. To crown it all, the regulators could hit you with fines of up to four percent of your global turnover.
Suppliers and GDPR
Late in 2017, CGI UK commissioned and directed the Centre for Economics and Business Research (CEBR) and Opinium to conduct a survey and research around attitudes towards and preparedness for GDPR. Opinium surveyed 250 UK businesses with 29% of survey respondents drawn from companies with more than 2,499 employees and 72% from companies with more than 249 employees.
One of the questions focused on how companies had assessed their suppliers. You can see from the chart below that, at that time, the figures were relatively low. Suppliers were clearly not at the forefront when it came to preparing for GDPR. A small number – less than ten percent – regarded the question as not applicable to them. We have to assume that they saw themselves as exempt because they weren’t sharing personal information.
As for the remainder, it’s highly likely that the figures have improved but the question has to be, “Have they improved enough?” Some Dimensional Research statistics reported by Cyber Security Intelligence in June 2018 would suggest that the answer to that is likely to be, “No”. This may be because companies initially prioritised internal data and processes rather than their supply chain when preparing for GDPR. It’s also harder to change commercial agreements part way through a contract with a third party. The report indicates that, of UK companies, 73 percent have their GDPR implementation either under way or completed. However, only 21 percent report they are compliant.
You might find the issues raised in our survey helpful when assessing your own supply chain preparedness:
In which of the following ways have you assessed your supply chain under GDPR obligations?
Practical steps such as anonymisation of data before it’s exchanged might be complex in detail but it’s straightforward conceptually. First of all, your contracts and agreements should lay out the rules to be followed – what data will be shared and for what purpose? You also need to agree the details of its life cycle – its sharing, processing, storage and destruction. Both parties need to monitor everything that’s going on, maintain logs, know when to notify the other of incidents and agree on actions to take in the event of a breach. You should also check the insurance cover of all parties with regard to personal data breaches. When you think everything’s in place, it would be wise to conduct a tabletop breach exercise with your supplier. Better to discover weaknesses at this stage than when something goes wrong in real life.
Conclusion
If you share personal information with suppliers, then you have to treat them as part of your business. You are bound together by the obligations imposed by the GDPR and the associated Data Protection Act. A breach anywhere in the chain will reflect on, and possibly harm, your business. On the other hand, a thoughtful implementation of the GDPR requirements internally and with affected suppliers will strengthen your business, your customers’ trust in you and your reputation.
How are you working with your suppliers to fulfil GDPR obligations? Leave a comment and let us know. Or, if you want to talk about your GDPR preparations, or cyber security in general, please get in touch directly at cyber@cgi.com.
Footnote
The full GDPR text and guidance, including guidance around a number of Brexit scenarios, can be found on the Information Commissioners website.
About this author
Alex Woodward
Senior Vice President - Consulting Delivery, Cyber Security, CGI in the UK & Australia
Alex leads the delivery of the Security Operations element of CGI’s UK cyber practice with responsibility for Security Operations Advisory, Managed Security Services and Penetration testing functions.
