✅ 🔒 Organisation's rely heavily on third-party software suppliers for day to day business.  We explore the critical aspects of software supplier due diligence and why it should be a priority for every organisation.

🔒Data Protection and Compliance

Failing to assess whether a supplier adheres to the UK GDPR and the Data Protection Act 2018, could affect the privacy and security of the personal data you are collecting.  Understanding how and where a third-party stores their data is critical in assessing whether they will be compliant with any data you might share with them.  Understanding how long they keep the data and their legal basis for processing are all part of assessing a third party supplier.  If a supplier has relevant security or compliance certifications, such as ISO27001 or Cyber Essentials, it can provide some assurances around their technical and organisational security measures.  Understanding if any data might be transferred outside of the UK, might then mean additional assessments, depending on which country the data is being transferred to.
   Knowledge Bank:Customers should review  our Supplier Due Diligence Best Practice Area for assessed third parties.  If you're looking at a new supplier that isn't on our list, then send us a completed copy of our Supplier Due Diligence Form and we will assess and add to our database.

Also review our Transparency Best Practice Area. Transparency is key to the requirement under Article 5(1) of the UK GDPR for the processing of personal data and underpins the fairness element of Article 5(1). If you aren’t clear, open and honest about what you do and why you do it, your original collection and ongoing use of personal data are unlikely to be fair to a data subject.   

🛡️Cyber Security Threats

When there are no controls over software purchases or downloads, the organisation could suffer a cyber incident through malware or system takeovers through a compromised software supplier which may serve as an entry point for cyber criminals, leading to ransomware attacks, data breaches or system takeovers.

Knowledge Bank:
Review our Cyber Security Best Practice Area for further help and guidance alongside the Supplier Due Diligence Best Practice Area.  As part of your due diligence check you might want to review if the third-party does penetration testing, regular security audits or if they have had any supply chain attacks.

💻 Software Compatibility and Integration

Any new software should be compatible with existing systems and workflows to avoid conflicts or costly adaptations.  Having a robust approval process ensures any new software or systems will work with other systems and the organisation's network.  
  Knowledge Bank:
Schools and Colleges should look to the DfE Digital Standards Best Practice Area which gives guidance around the DfE procurement framework for the purchasing of services, hardware and software.  The standards will help you ensure that you purchase digital services and products that fit in with your organisation's strategies.

👤 Software Approval Process

Having an approval process in place ensures that due diligence has been completed for data protection and cyber security purposes but also ensures it is compatible with systems currently in place.  A well defined approval process minimises risk and ensures the supplier aligns with the organisation's security and operational standards, and any products or services fit against strategic decisions.

🦹 

Some suppliers might use 'sharp practices' for enticing staff to purchase software.  Sharp practice refers to behaviour that is technically legal but ethically dubious, often involving deceit or unfair tactics to gain an advantage.   While sharp practice may not always be illegal, it is widely regarded as unethical.

One of these is 'Big Classroom' which encourages teaching staff to sign up from a trial about their British Values/Prevent project. The recipient  then unknowingly signs up for an annual subscription.  Schools then receive invoices for payment.  Specific emails in the schools are targeted (similar to social engineering). The company changes email addresses and domain names frequently to avoid block lists, so constant awareness and reminders to staff is advised. In this instance, the best course of action is to block the supplier's domain, warn staff and put an approval process in place.

Conducting thorough due diligence on any supplier is essential to safeguarding the organisation's data, maintaining cyber security and ensuring operational continuity.  By implementing a structured approval process, checking for regulatory compliance and assessing security measures, organisations can mitigate risks and build a resilient infrastructure.

📢 Consider booking onto our DPIAs and Due Diligence Webinar.