Data protection compliance…check,
information security policy compliance…check.
Most organisations that are outsourcing use the contract to manage regulatory and other risks. They place obligations on their suppliers to ensure that regulatory obligations are met, usually in the form of a set of policies that have to be adhered to. They then place penalties on the supplier in the event that these obligations are not met.
This approach is a sensible approach to mitigating some of the risks associated with compliance, but many organisations forget two key things. Firstly, this approach does not “outsource” the risk. What it does is provide some recourse back to the supplier, but no more than that. So if, for example, there is a data breach at your supplier which results in customer information being published online, your organisation would be liable for any fines that result in the breach. In the UK, that can be up to £1m.
Secondly, contracts often last a number of years. During this time, organisations, policies and regulations all change. Contracts often make it a supplier obligation to adhere to new policies, but all too often policies are update without consulting with or, worse still, notifying suppliers. If suppliers are not formally notified of changes, anything those changes were trying to achieve is lost.
All of this points to the need within organisations for an ongoing compliance framework for suppliers that includes regular auditing and ensures that any policy changes are effectively communicated and documented.