By: Shazina Adam -- IT Procurement Manager, Sony Interactive Entertainment Europe (PlayStation) and UK Lead for Procurement Globally
16 October, 2018
With the General Data Protection Regulations (‘GDPR’) coming into force in the European Union on 28th May 2018, data protection has been catapulted into the limelight.
The potentially massive fines mean that data protection is now an area for regular board oversight.
IT procurement professionals will be in the forefront to ensure that the external IT services their organisations use are GDPR compliant. A working knowledge of the GDPR will be vital to identify compliance issues that will require specialist advice.
Below are five tips for IT procurement professionals.
Please note that these tips do not constitute legal advice. You should take advice on data protection matters from a lawyer or trained data protection specialist.
1) IP Addresses Should Be Treated as Personal Data
The protection of ‘personal data’ is at the core of the GDPR. Article 4 (1) GDPR defines personal data as:
‘…any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.’
At first glance, an IP address would not appear to be included within this definition, particularly if it is ‘dynamic’ (i.e. temporary). However, that is not the case. The key phrase in Article 4(1) is ‘an online identifier.’ This phrase is defined in Recital 30 GDPR (a ‘Recital’1 is a text that sets out reasons for the provisions of an Article) as follows:
‘Recital (30) Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags.
This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.’
This definition follows the pre-GDPR decision of the Court of Justice of the European Union in the case of Breyer v Germany2 in 2014.
So IP addresses constitute personal data.
2) Think of the Risk, and Not the Value of an IT Supply Contract
IT procurement professionals often give more importance to IT supply contracts with a higher monetary value. From a data protection perspective, the risk that the contract poses is more important.
Imagine that your organisation has a contract to fix the PCs at a branch office. The contract may be worth only a small amount, but the supplier’s computer technician would have access to data on the PCs. If the technician were to use the data maliciously, then a serious data breach would occur.
Therefore, lower-value supply contracts may need just as much data protection due diligence as higher-value ones.
3) Make Sure Your IT Supplier Is GDPR Compliant
Every so often, a well-known clothing company hits the headlines. A journalist will have found that some of the company’s products are being made by one of their suppliers under unethical conditions. Usually, this is contrary to the clothing company’s own policies. Yet, it is the clothing company that must deal with the bad publicity and financial loss.
Data protection is similar. A data breach by an IT supplier could result in worse outcomes, such as large fines for your organisation and, more importantly, a financially damaging loss of public confidence. IT procurement professionals will need to follow strict data protection due diligence and ensure that their IT supply contracts require strict GDPR compliance from their suppliers.
IT supply contracts ideally need to include the following requirements:
Especially, check that a supplier has ‘Binding Corporate Rules’ (BCRs) in place, if appropriate.
BCRs provide a solution for multinational groups of companies that export personal data from the EU’s jurisdiction to other companies within the same group located in third countries that the European Commission does not deem to have adequate levels of data protection.
BCRs ensure that all data transfers within a group benefit from adequate levels of protection. They must be approved by the relevant supervisory authority and are legally binding.
The stakes are high, but proper data protection due diligence can reduce them. A data breach could result in a large fine. However, a supervisory authority or court making determining sanctions is more likely to be lenient with an organisation that has carried out proper data protection due diligence and has the proper systems in place than one that has not.
4) Check Your Supplier’s Suppliers
IT systems are incredibly complicated. They often incorporate systems and programs from other suppliers.
Data protection due diligence must extend beyond your immediate suppliers to their suppliers all the way through the supply chain. Your organisation will still be potentially liable for any sub-suppliers. The IT supply contract will need your supplier to impose the same data protection terms on their suppliers as you have on them.
If this is not possible, then you will need to take advice from your data protection or legal team.
5) Data Protection by Design and Default Should Be Part of Every IT Supply Contract
Data protection should now be a fundamental consideration when entering into an IT supply contract. Article 25 GDPR states:
‘1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of determination of the means for processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
2. The controller shall implement appropriate and organisational measures ensuring that, by default, only personal data which are necessary for reach specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.’
Just as you consider the price and function of an IT supply contract, data protection will now have to be given just as much weight.
The principles of Article 25 GDPR will now be a fundamental consideration when negotiating and agreeing every IT supply contract. The protection of the rights of data subjects will need to be incorporated into every contract.
The GDPR are here to stay. Data protection can no longer be brushed under the carpet. It could be disastrous for organisations that do not take proper measures to safeguard personal data. Procurement professionals have a key part to play when it comes to protecting their organisations from data breaches.
Shazina’s background includes process improvement, project management and end-to-end IT procurement. She is currently her organisation’s UK Lead on IT procurement and transformation, working closely with other international regions to optimise commercial arrangements.
The opinions expressed in this article are the author's own and do not reflect the view of either the employer or Beroe Inc.