Calendar An icon of a desk calendar. Cancel An icon of a circle with a diagonal line across. Caret An icon of a block arrow pointing to the right. Email An icon of a paper envelope. Facebook An icon of the Facebook "f" mark. Google An icon of the Google "G" mark. Linked In An icon of the Linked In "in" mark. Logout An icon representing logout. Profile An icon that resembles human head and shoulders. Telephone An icon of a traditional telephone receiver. Tick An icon of a tick mark. Is Public An icon of a human eye and eyelashes. Is Not Public An icon of a human eye and eyelashes with a diagonal line through it. Pause Icon A two-lined pause icon for stopping interactions. Quote Mark A opening quote mark. Quote Mark A closing quote mark. Arrow An icon of an arrow. Folder An icon of a paper folder. Breaking An icon of an exclamation mark on a circular background. Camera An icon of a digital camera. Caret An icon of a caret arrow. Clock An icon of a clock face. Close An icon of the an X shape. Close Icon An icon used to represent where to interact to collapse or dismiss a component Comment An icon of a speech bubble. Comments An icon of a speech bubble, denoting user comments. Comments An icon of a speech bubble, denoting user comments. Ellipsis An icon of 3 horizontal dots. Envelope An icon of a paper envelope. Facebook An icon of a facebook f logo. Camera An icon of a digital camera. Home An icon of a house. Instagram An icon of the Instagram logo. LinkedIn An icon of the LinkedIn logo. Magnifying Glass An icon of a magnifying glass. Search Icon A magnifying glass icon that is used to represent the function of searching. Menu An icon of 3 horizontal lines. Hamburger Menu Icon An icon used to represent a collapsed menu. Next An icon of an arrow pointing to the right. Notice An explanation mark centred inside a circle. Previous An icon of an arrow pointing to the left. Rating An icon of a star. Tag An icon of a tag. Twitter An icon of the Twitter logo. Video Camera An icon of a video camera shape. Speech Bubble Icon A icon displaying a speech bubble WhatsApp An icon of the WhatsApp logo. Information An icon of an information logo. Plus A mathematical 'plus' symbol. Duration An icon indicating Time. Success Tick An icon of a green tick. Success Tick Timeout An icon of a greyed out success tick. Loading Spinner An icon of a loading spinner. Facebook Messenger An icon of the facebook messenger app logo. Facebook An icon of a facebook f logo. Facebook Messenger An icon of the Twitter app logo. LinkedIn An icon of the LinkedIn logo. WhatsApp Messenger An icon of the Whatsapp messenger app logo. Email An icon of an mail envelope. Copy link A decentered black square over a white square.
Promoted

Tackling privacy risks within your supply chain an ongoing challenge

By Kevin Duthie, EY associate partner
07/06/2018, 6:52 am Updated: 27/06/2023, 2:17 pm
Kevin Duthie, EY associate partner
Kevin Duthie, EY associate partner

Months of hard work mean the General Data Protection Regulation (GDPR) implementation date passed without problem for many oil and gas companies.

But now the key processes are in place, argues Kevin Duthie, EY Associate Partner, it’s time to focus on the compliance risks still lurking in your supply chain.

The 25 May 2018 GDPR implementation date is now behind us but the hard work is not over. Companies must be aware that some aspects of the regulation are still evolving and address the fact that, in putting the major building blocks in place ahead of the deadline, they may have left some areas still exposed.

Have you considered the risks across the full supply chain?

Oil and gas companies typically have hundreds or thousands of relationships with third party vendors across countries and continents. This poses two high-level problems.

1. The sheer volume of relationships, big and small, require careful scrutiny and the updating of contracts to reflect the new rules.

2. Many of the third-party vendors for multinational oil and gas companies are likely to be located outside the EU, so may be less knowledgeable about and less compliant with the new standards. Yet any non-compliant handling of EU citizens’ personal data anywhere in the world could land these companies at the head of the supply chain in serious trouble with the regulators.

Immediate actions – spotlight the supply chain

Don’t take anything for granted – the importance of stress testing. A process put in place by your data protection officer may look watertight and seem sure to highlight any problems, but have you run it under ‘real’ conditions? By ‘socialising’ the process with real data you can operationalise policies and procedures to make sure they are doing exactly what ‘it says on the tin’.

There are four areas with respect to the regulation that companies will potentially struggle with:

1. Data processing: Do you know where your data is stored, where it is going and why it’s being used? Do you know what type of data is stored where? Do you know where it’s being collected, deleted or transferred? In this respect, non-EU third parties, with their differing national or state data privacy rules, are a risk trigger for GDPR compliance. Focus up to the implementation deadline has been dealing with the highest risk areas, now is the time to extend your processes further down the supply chain.

2. Incident and breach management: Have you got the capabilities to assess if the breach includes personal data? Are you fully aware of the varying global requirements to report a personal data breach? While this is a central plank of the EU regulation, it is less clearly so elsewhere: in the US it not only differs to the EU, but varies between states; across Asia, it is a hybrid of voluntary and mandatory requirements depending on differing jurisdictions: and moving on to the Middle East, the local rules vary again.

3. Subject access request (SAR): Are you fully aware of the end to end process of a SAR, including receiving the request and knowing how to respond? Have you socialised this within the business? More importantly, do they know their roles and the inputs which are required? Initially, this process may be inefficient and will vary by company complexity. GDPR requirements could mean that companies will need to respond to requests within 30 days. In practice, we are still seeing some companies take 6-8 weeks.

4. Ongoing privacy impact assessment: Are you keeping up to date with changes within your and your customers’ organisations? For example, as companies make more use of disruptive technology, such as blockchain and mobile payments have you assessed the new infrastructure, what data is being shared and who has access? Do you have contractual cover over protection of your data and do you have the ability to assess how your data is being processed?

Long-term thinking, lasting processes

Having the right controls in place and the level of assurance that can only come from a thorough audit of your and your suppliers’ GDPR compliance processes is vital.

That way, risks can be eliminated, anticipated or mitigated before they turn into problems.

In summary, until now, resources have focused on the deadline that has now passed. However, the risk of severe financial penalties is the reality still facing oil and gas companies. Therefore, it is important to remember that this is the start, not the end, of managing privacy risks.

 

Recommended for you

Tags