Tech News, Magazine & Review WordPress Theme 2017
  • Home
  • Supply Chain Updates
  • Global News
  • Contact Us
  • Home
  • Supply Chain Updates
  • Global News
  • Contact Us
No Result
View All Result
No Result
View All Result
Home Supply Chain Updates

Security in the supply chain – a post-GDPR approach

usscmc by usscmc
November 9, 2019
Security in the supply chain – a post-GDPR approach
Share on FacebookShare on Twitter

Not that long ago, businesses were rushing to put in place contractual terms with their processors to comply with the General Data Protection Regulation’s (GDPR’s) requirements for the appointment of processors. It was often difficult for businesses to complete appropriate diligence into their suppliers and often, specific security requirements to protect against cyber risks were overlooked.

The key requirements that controllers (most customers) need to meet to manage cyber risks with their processors (most suppliers) are:

  • To use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure protection of the rights of the data subject; and
  • To have a contract in place with the processor that requires the processor to take all measures required pursuant to Article 32 of the GDPR, which sets out the standards required for security of processing. The processor should also assist the controller in ensuring compliance with its obligations regarding the security of processing, taking into account the nature of processing and the information available to the processor.

If the processor commits to meet the security requirements, isn’t that sufficient?

The crux of the issue is this: although the GDPR sets out requirements relating to security – appropriate technical and organisational measures – it is not very prescriptive. The text is inherently legalistic and businesses are often left wondering how to apply the requirements.

So, while a processor may be required to comply with the legal requirements, the processor’s view of what technical and organisational security measures are appropriate may differ from the controller’s own views.  Likewise, where processors perform commoditised processing activities, they may not have sufficient knowledge of the personal data and how the controller uses it to assess the risks adequately.

But if a processor commits to meet GDPR security standards, won’t the processor be responsible for any non-compliance?

Clearly, if a processor is responsible for a security failure in breach of the GDPR, then the processor will have direct responsibility under the regulation. But there is at least a possibility of the controller facing a fine for the security failings of its processor. And if security measures are not adequately described in the contract with a processor, it will be difficult for a controller to show it has taken the steps required to ensure it is only using processors providing sufficient guarantees to implement appropriate technical and organisational measures. 

It may also make it difficult for a controller to audit its processor, if the security standards are not objectively set out.

What sort of information security standards should be prescribed in the contract?

There are various key themes that should be addressed in information security standards. Often, it is useful to refer to generally accepted information security standards recognised in the market, such as the ISO27000 family of requirements or the UK government’s Cyber Essentials scheme. 

Information security requirements should include organisational security measures, such as:

  • Having in place, and implementing, appropriate policies and procedures to address risks identified with respect to the storing, transmission and processing of data in the performance of the services.
  • Ensuring that appropriate governance arrangements are in place with senior management oversight of cyber security standards.
  • Maintaining and implementing appropriate security certifications.
  • Education and training of staff involved in processing personal data.
  • Procedures for handling data security incidents.
  • Incident records and logs.
  • Continuous improvement processes.

In addition, technical measures should cover:

  • Compliance with particular security standards or certifications relating to the technical environment in which information is stored, transmitted or processed.
  • Access controls, logs and rights management.
  • Information barriers and data classification systems.
  • Physical security requirements – ranging from site controls and CCTV through to clear desk policies, if appropriate.
  • Technical security requirements appropriate to the services.
  • Authentication, back-up and deletion standards.
  • Sector-specific standards where required, such as PCI-DSS compliance for payment cards and network security requirements for telecoms providers.
  • Specific device controls – for example, where mobile devices may be used in the processing of data.

Of course, this list is not exhaustive. Businesses need to think carefully about what best practice looks like for the services in question and what specific risks might need to be addressed with their processors. Short-form and longer-form information security standards may well be appropriate, depending on the specific processor and the services it provides.

Many of our suppliers refuse to accept our prescribed security standards. What should we do?

There are many reasons why processors may refuse to accept specific security measures imposed by controllers. This is often a matter of economies of scale, where suppliers have designed their services to meet particular requirements and may not be in a position to implement bespoke security measures for every customer. Likewise, bargaining power often comes into play.

In those situations, the processor should be able to provide details of the technical and organisational measures it has in place as part of its own information security programme, as part of the diligence process to satisfy the controller that it can give appropriate guarantees of its security requirements. 

And if the appropriate documentation exists, then clearly this can be set out in the contract, even if the supplier may require the ability to update it as part of the continuous development of services. It still pays to have a detailed set of information security measures set out in the contract.

Why review supply chain standards now?

It is almost 18 months since the GDPR came into force – and cyber security risks have moved on. We now know that regulators like the ICO are prepared to propose hefty fines to values reaching into the tens and hundreds of millions of pounds. And cyber risks have been front-page news for other reasons, such as in the development of 5G technology. 

It is clear that governments and regulators expect businesses to take better action to ensure appropriate security measures are in place to address cyber risks. Following best practice is now more important than ever.

usscmc

usscmc

No Result
View All Result

Recent Posts

  • Volkswagen Announces Pricing of 25% Equity Stake Sale in Porsche
  • Can software simplify the supply chain? Ryan Petersen thinks so
  • A strategic approach to cost reduction for banks and fintechs
  • Study examines supply chain issues and opportunities
  • Instacart acquires hyper local grocery e-commerce platform

Recent Comments

  • Top 5 Supply Chain Certifications that are in high demand | Top 5 Certifications on Top 5 Globally Recognized Supply Chain Certifications
  • 3 Best Procurement Certifications that are most valuable | Procurement Newz on Top 5 Globally Recognized Supply Chain Certifications

Archives

  • September 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • September 2019

Categories

  • Global News
  • Supply Chain Updates

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

slot gacor slot slot gacor 2023 slot 2023 slot gacor terbaru slot gacor terpercaya slot gacor slot gacor slot slot gacor 2023 slot 2023 slot gacor terbaru slot gacor terpercaya slot gacor slot gacor slot slot gacor 2023 slot 2023 slot gacor terbaru slot gacor terpercaya slot gacor

Pages

  • Home
  • Terms of Use
  • Privacy Policy
  • Disclaimer
  • Antispam
  • Contact Us

Categories

  • Global News
  • Supply Chain Updates
slot gacor slot slot gacor 2023 slot 2023 slot gacor terbaru slot gacor terpercaya slot gacor slot gacor slot slot gacor 2023 slot 2023 slot gacor terbaru slot gacor terpercaya slot gacor slot gacor slot slot gacor 2023 slot 2023 slot gacor terbaru slot gacor terpercaya slot gacor

Tags

APICS Globally Recognized Supply Chain Certifications IIPMR Certifications International Institute for Procurement and Market Research (IIPMR) ISM Next Level Purchasing Top 5 Supply Chain Certifications top supply chain certifications

Trending

No Content Available
  • Antispam
  • Contact Us
  • Disclaimer
  • Home
  • Privacy Policy
  • Terms of Use

© 2023 www.usscmc.com

No Result
View All Result
  • Home
  • Supply Chain Updates
  • Global News
  • Contact Us

© 2023 www.usscmc.com

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non-necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.

SAVE & ACCEPT