The Labour Party is working with the ICO (Information Commissioner’s Office) and NCSC (National Cyber Security Centre) to manage a data breach within one of its suppliers, Blackbaud.
The breach involved the theft of information pertaining to Labour members and supporters. Compromised details include names, email addresses, telephone numbers and amounts donated.
Upon paying an undisclosed fee, Blackbaud received assurances – unknown at this point – that the stolen information was destroyed.
This incident leaves the Labour Party facing the reputational damage that comes from being linked to a data breach. However, what responsibility does it have over a supplier that has failed to keep its data secure?
One of the purposes of the GDPR (General Data Protection Regulation) is to make data controllers keep closer oversight of their supply chain. It is the responsibility of the data controller to obtain assurance from data processors that they are handling information in a secure and compliant manner. If a data controller cannot demonstrate this, then they are potentially liable to sanctions from the ICO.
What does this assurance look like? The bare minimum should be to have compliant sharing agreements in place. This involves a review to identify all the third parties an organisation is sharing personal data with and finding the contracts for those services.
The agreements can be stored in a single location and reviewed to ensure they are compliant and in date. Where this is not the case, the organisation needs to contact the data processor to discuss updates to the terms of the agreement.
Contracts and supplier questionnaires
In the case of smaller data processors, renegotiation of contract terms and sharing agreements can often be straightforward. When dealing with larger organisations that trade using standard terms and conditions, there is often little that can be done if you want to keep using the service.
However, larger suppliers will often be able to provide supporting documentation on request demonstrating how they comply with regulations.
Where a data controller requires additional assurance, a supplier questionnaire can be useful. These are forms usually issued during the tendering process. The supplier is asked specific questions about its data processing and security measures.
Although there are template questionnaires readily available online, the best way to make these useful is to adapt them to suit the specific data processing needs of an organisation.
These questionnaires can then be held alongside contracts and sharing agreements to provide an extra level of assurance.
Under the GDPR, there are special categories of data that require particular care when handling due to their increased likelihood of causing harm and distress should they be breached.
One of these categories is information pertaining to political affiliation. As such, a political party losing the details of its members is very serious.
The Labour Party should have obtained a very high level of assurance that its suppliers could process the data securely before it was handed over.
Organisations that need such assurance should perform a supply chain audit. These are typically undertaken by an external consultancy, such as DQM GRC.
Consultants engage directly with third-party suppliers and review their data processing activities, alongside the governance and policy infrastructure that underpins them.
This additional engagement and expertise provide the data controller with a comprehensive overview of its supplier’s ability to process data securely.
A supplier audit provides a gold standard of assurance that a data processor is complying with the requirements of the GDPR.
Should something then go wrong, the data controller can better demonstrate that it did everything within its power to make sure the data held in its supply chain was secure.
The more assurance a data controller has obtained, the less likely it is to face a monetary penalty from the ICO. The investigation into the Labour Party breach is still in its early stages, but whether it is sanctioned for the incident will largely hang on which of the above activities it undertook when engaging Blackbaud.
Given the sensitive nature of the information released, Labour will need to demonstrate assurance towards the higher end of what has been discussed here. At least a supplier questionnaire, and ideally a supplier audit. It will be interesting to see what the investigation digs up.