Article

Chain of fools

John Lloyd, Director
October 2024
Image

Aretha Franklin was absolutely right when she recognised that “every chain has a weak link.” Unlike Aretha, though, the trick for a business is not only to avoid being that weak link for others but also to make sure your own supply chain contains as few weak links as possible.

In our modern, globalised, massively interconnected yet increasingly remote world, no organisation is an island in the stream. Like Dolly and Kenny, we rely on each other (ah-ah) in a way which is charmingly harmonious yet also brings unprecedented risk. Recent prominent outages of different stripes remind us of our reliance on the people who support not only our own organisations but also those on whom we depend to do what we need. The advent of generative AI has also sharpened the focus on data governance and reinforces the need for a sophisticated understanding of supply chains and their associated risks.

While I would like to teach the world to sing in perfect harmony, that may be a little unrealistic. Happily there are steps we can take to avoid Arethan foolishness, at least in the data protection department, by borrowing a few key questions from other musical legends…

Who is he and what is he to you?

Bill Withers recognised that understanding the controller-processor relationship is key to managing your information infrastructure and extrastructure. Have these relationships been properly defined, described and documented? You may find yourself on the hook for the mistakes made by your contractors and their sub-contractors, and any sanctions may be amplified if you are found wanting either in the due diligence or in the contracting process.

The recent €290m fine for Uber (about which more in a moment) should have given everyone pause for thought but perhaps especially those companies with a corporate Uber account, who might find that they are also in the regulatory crosshairs (especially if Uber try to wriggle out of their own fine).

How long has this been going on?

Ace’s Paul Carrack may have claimed not to be as dumb as he seemed but nobody wants to be surprised by the late discovery of something not being quite as it seemed. Prevention is always better than cure so consider the extent to which your supplier due diligence process can catch and correct any deviations, including among your existing suppliers. Familiarity breeds complacency and while we all prize reliable, trusted relationships, that confidence should be underpinned by robust and routine due diligence to make sure that the trust which has been earned is still deserved.

What have you done for me lately?

Janet Jackson should be applauded for being alive to supplier risk and the need to keep her contractors under regular review. Consider both whether these relationships are still active (and consequently the likelihood that legacy suppliers still retain data excessively) as well as whether your longest standing partners have themselves changed their own data infrastructure over the period that you have been working together. This may be especially true if the supplier has changed hands, noting here the obligation on processors to seek authorisation from controllers for changes to sub-processors.

One area in which a lot of organisations and people have been extremely active lately bears particular consideration…

Are we human?

I have never marked Brandon Flowers as a tech guru (which may be why his follow up question was ‘Are we dancers?’ and not ‘Is this a chatbot?’) but The Killers were right to be concerned as far back as 2008 about AI and machine learning tools. What has perhaps been lost in all the brouhaha around generative AI in the last couple of years is that AI/ML has been part of the fabric of many organisations for decades, with little concern paid to the data protection risks, outside some well publicised cases. 

Even the largest technology providers have struggled to keep up with the tension between the pace of change, user demand and responsible development of the technology, as seen by Meta's recent run-in with the European Data Protection Board, OpenAI’s rap on the knuckles by the Garante in Italy or Microsoft's multiple attempts to corral Copilot into a manageable enterprise offering.

Do you really want to hurt me?

Security lies at the heart of data protection. (We are called Securys, after all: the clues are there.) In data protection terms the security risk is sometimes characterised simplistically in terms of cyber security and it is true that ransomware, phishing and dastardly [insert despotic regime here] hackers have plenty more to aim at if have extensive networks of suppliers. A focus on the attack surface for bad actors may overlook other security vulnerabilities which can lead to breaches, especially from within organisations.

Any organisation's security stands or falls on the capabilities and vulnerabilities of its human infrastructure, which can underline or undermine any technical controls. Sometimes it is the people closest to us who cause us the most pain… so make sure that your information security and privacy training and awareness programmes extend to contractors and equivalent assurance from suppliers.

Do you know where you're going to?

Many companies are just as bemused as Diana Ross when it comes to international data transfers, all the more so, when it comes to suppliers with their own networks of sub-contractors and networks. The traffic of data around the world in an inescapable fact of modern life and, outside a few jurisdictions with draconian localisation rules and repressive technical controls, data flows freely between countries. This can be addressed by data mapping, process reviews and risk assessments but it is quite a job to stay on top of all that given the complexity of these networks; a focus on key supplier risk is a good place to start.

 Are you ready for it?

Swifties are known for their love of regulatory horizon scanning as much as traipsing around the world to see their idol so no wonder they embrace the need to be up to speed with everything going on in the various jurisdictions through which they (and their personal data) pass. Waiting for data protection laws to pass can feel like queuing for Oasis tickets but the rewards when they do finally arrive are arguably much richer – if you prefer privacy to derivative dad rock. Add to that the plethora of AI laws and regulation breezing through legislative chambers like so many fans through the turnstiles and the need to stay abreast of these changes becomes ever more apparent.

 Make sure, then, that you can answer the question How can I be sure?[i] before you have to say What kind of fool am I?[ii] or even Who's sorry now?[iii]

 [i] The Young Rascals

[ii] Anthony Newley

[iii] Connie Francis

Act now and speak to us about your privacy requirements

Start a conversation about how Privacy Made Practical® can benefit your business.

Click here to contact us.

Back to top