a close up of a chain and lock securing a gate
PHOTO: Jose Fontano

A recent think tank session I participated in at the headquarters of the International Association of Privacy Professionals (IAPP) was inspired in part by a tweet from a senior privacy leader. The tweet suggested we stop thinking about the recent Facebook/Cambridge Analytica scandal as a privacy issue, and instead view it as an issue with our digital supply chain.

There’s no doubt we are living in a data-driven society, a world of globalizing economies, data transfer and ubiquitous access to everything from everywhere. In today’s environment, data is like water: It’s rising all around us, flowing not only within our organizations, but between companies and their business partners and vendors, and between consumers and their devices.

Protect Data Anywhere and Everywhere

Because of this, data must be protected at every turn it takes. And that’s where safeguarding the digital supply chain comes into play.

Interestingly, privacy’s impact on the digital supply chain is a forward-looking concept that is actually reflected in much more traditional thinking. Since data is increasingly being processed and stored with third parties like suppliers, vendors and other business partners, protecting information has become a significant issue for organizations worldwide and the security professionals tasked with making sure the job gets done.

For instance, the 2013 revision of ISO 27001, an information security standard published by the International Standards Organization, has an entire section dedicated to the issue. It states that organizations have an obligation to maintain active risk assessment programs and continually monitor, measure and asses all of the third-party vendors, suppliers and business partners with which they share data.

Related Article: How Far Beyond Facebook Does Data Harvesting Go?

Regulatory Mandates Aiming to Improve Security

Two notable privacy regulations, the EU-U.S. Privacy Shield Framework and, of course, the EU’s General Data Protection Regulation (GDPR), also require organizations to better assess the security and privacy practices of the third-party partners within their digital supply chains.

Here’s an overview of how those two regulations aim to improve the security of the digital supply chain:

  • The Privacy Shield creates a legal framework for data transfer between the EU and the U.S., expanding the regulation of, and accountability for, third-party personal data transfers between an organization and its outside partners. To earn Privacy Shield certification, organizations must specify in their third-party contracts that any transferred personal data may only be processed for limited and specified purposes consistent with an individual’s consent. Third parties must also agree to provide this same level of protection. That means that companies are responsible not only for ensuring that they are complying with their own privacy and data protection policies, but also for ensuring that their outside partners have their own comparable policies and operational procedures.
  • Similarly, the GDPR requires organizations to not only create policies that meet its mandate, but also operationalize those policies and prove that they have instituted and are complying with those procedures. This directly impacts companies that regularly share customer data with external partners in their digital supply chains, particularly if the sharing of information isn’t related to the original data collection purpose. The GDPR also defines new legal requirements between data controllers and data processors, mandating that the two parties have a written contract and requiring that they maintain the security of any personal data being processed. Article 32 of the GDPR lists the appropriate technical and organizational measures that they must take into account when assessing the risks involved to ensure the security of personal data processing. These measures include encryption, “pseudonymization,” steps to ensure the resilience of processing systems and regular backups of personal data in order to be able to reinstate the system.

Related Article: GDPR Compliance: Just Because You Don't Have To, Doesn't Mean You Shouldn't

Keep an Eye on Third Parties

Contractual language aside, regulations like the Privacy Shield and the GDPR emphasize the importance of organizations maintaining vigilance over their digital supply chains to better assess the security and privacy practices of their third-party partners. 

Companies have a responsibility to limit the data they share with their outside partners and then ensure that vendors and suppliers safeguard that data and use it only for its intended purpose. By specifying those requirements in its contracts, an organization can ensure that its external partners will be held liable if they experience data breaches or cyberattacks and the organization’s data is compromised.

Aside from specifying the protection of their data in contracts with third-party partners, organizations should also make it a priority to conduct regular vendor risk assessments. And it’s important that those assessments involve much more than rote rundowns of items on checklists and instead feature proactive reviews in which organizations put real effort into ensuring that their third-party vendors fully understand their obligation to protect the data that the organization gives them.

We are living in a data-driven society, and data needs to be protected wherever it goes. By working to safeguard the sensitive data that they share with their external partners, and also mandating that their partners do the same, companies will be one step closer to ensuring that their customers’ personal information is as secure as possible.