Emerging technologies: Part 2: Merging privacy by design and supply chain

Visit BSI's Experts Corner: Home for insights from BSI’s practice directors and industry experts on digital trust, environmental, health, safety, security, and sustainability.

September 28, 2023 - In Emerging technologies: Part 1: Embedding privacy by design, Conor Hogan, Global Practice Director, Data Governance, discusses privacy by design and default and why embedding privacy controls from the outset leads to greater data protection and enhanced user experiences. Now, we discuss how to merge the concept with supply chain to ensure the responsible handing of data and mitigation of security risks throughout the supplier lifecycle.

Supply chains are complex, with systems and processes changing throughout supplier partnerships. Integrating privacy considerations into the supply chain involves embedding privacy controls and compliance measures throughout the supplier lifecycle, from onboarding to relationship management and data sharing through to offboarding. This helps safeguard against potential regulatory violations and fosters a culture of accountability within the supply chain ecosystem, ultimately enhancing overall organizational resilience.

Considerations for a smooth and successful merging of privacy by design and supply chain include:

  • Communication: When dealing with a network of suppliers of various sizes, capabilities, and expertise levels, communicating privacy by design goals can be challenging. The objective is to use clear, concise, and transparent communication from day one, to ensure suppliers fully grasp what is expected of them. This can take the form of a supplier code of conduct, or including the organization’s privacy expectations as an annex or appendix in contractual agreements with suppliers.
  • Suppler lifecycle integration: A proactive approach to communication needs maintaining throughout the supplier lifecycle. If a process is being tweaked, considering how that will impact one supplier versus another is critical to prevent unnecessary collection of data. During the supplier onboarding process, a pre-qualification questionnaire and certifications verify privacy policies. It is important to consider that down the line, new processes requiring the collection of more personal customer data may not be accounted for in review processes. To keep on top of these changes, evaluating privacy by design principles throughout the relationship is critical.
  • Policies and standards: When communicating goals, it is important to agree on what specific standards and policies suppliers will be expected to adhere to. These may need tailoring based on the type of process the supplier is handing, the type of supplier they are, and how mature they are in the game. A customized approach ensures the organization and supplier feel assured that expectations can be met.
  • Minimizing data: This is one of most powerful ways to successfully merge supply chain and privacy by design. By implementing a risk-based approach and data minimization techniques, organizations can collect only the necessary personal data they need, lessening the risk of untapped data being targeted by cyber criminals.
  • Privacy enhancing technologies: Incorporating technologies that enhance privacy within the supply chain helps protect personal data by default. For example, tokenization involves replacing sensitive information including credit card numbers, home addresses, or personal identification information with a mix of valueless characters, known as a token. If a breach was to occur anywhere along that supply chain, the exposed data would be meaningless within the corresponding tokens.

The merging of privacy by design with supply chain is a forward-looking strategy that enhances data protection, while paving the way for more ethical and accountable business practices.

For more on this topic, watch Emerging technologies: Privacy-by-design transforming supply chain management with Conor Hogan and Tony Pelli. Read Avoiding digital chaos: Part 2: The threats and opportunities of new technology by Conor Hogan to learn more on emerging technologies. For further insights on other digital trust, privacy, information security, and environmental, health, and safety topics that should be at the top of your organization's list, visit BSI's Experts Corner.