DATA PROTECTION - 09.12.2016

Suppliers and your confidential information

You’re considering taking on a new supplier who will have access to your confidential business information. What sort of checks should you make to satisfy yourself that they will keep your data safe and secure?

Look at security

In September 2016 we advised you how to carry out basic due diligence checks on potential suppliers ( yr.17, iss.22, pg.2 , see The next step ). However, where a supplier will have access to and/or store confidential business information on your behalf, those due diligence checks won’t be enough on their own. So in this situation what additional questions should you ask?

Identify sensitive data

Start by identifying exactly what business data the supplier will receive from you and why you consider it to be confidential. Examples include pricing structures, customer lists, marketing strategies and design ideas. Alternatively, a supplier may have access to confidential information about your employees, such as salaries, benefits packages and/or details of work processes. Whilst the above information is highly sensitive, none of it will be protected by intellectual property rights.

Employee screening

Next, as data theft is big business, ask the supplier to explain exactly what employee screening practices they use. As a minimum, they should undertake credit checks on all staff who will have access to your confidential business information. This will reveal details of any county court judgments, bankruptcy orders or voluntary arrangements (but you aren’t entitled to see the results). The supplier should also have a robust reference taking process plus established an employee’s work history and their real reason(s) for having left previous jobs.

Tip 1. Ask the supplier for a copy of its data protection policy and establish what data protection and security training it provides to employees who will handle your confidential information. Training should be ongoing as you want a supplier who stays on top of the law.

Tip 2. Find out if the supplier includes non-disclosure clauses in the employment contracts of all those who could access your confidential business information. This should protect your position if the employee takes a new job.

Cloud storage

If a supplier will be providing data storage and/or backup facilities, e.g. cloud storage, check: (1)  what systems they have in place if their main servers go down; (2) the level of encryption used to keep data secure; (3) their encryption policies; (4) how they will keep your data separate from that of other clients; and (5) how thorough their disaster recovery plan is, e.g. what will happen in the event of a flood or a major power outage.

Tip 1. Always investigate the supplier’s financial standing - if they become insolvent, you could easily lose access to some or all of your business information. Even on a temporary basis this could have serious consequences.

Tip 2. We’ve created a helpsheet that includes the questions to ask potential suppliers about their data confidentiality processes (see The next step ).

For the previous article on due diligence and a free supplier data confidentiality helpsheet, visit http://tipsandadvice-business.co.uk/download (CD 18.06.04).

Request a copy of the supplier’s data protection policy and establish what pre-employment screening checks it carries out, how your data will be stored/encrypted and what training is given to those who will handle your data. Our helpsheet covers all the questions to ask.

© Indicator - FL Memo Ltd

Tel.: (01233) 653500 • Fax: (01233) 647100

subscriptions@indicator-flm.co.ukwww.indicator-flm.co.uk

Calgarth House, 39-41 Bank Street, Ashford, Kent TN23 1DQ

VAT GB 726 598 394 • Registered in England • Company Registration No. 3599719