We find clients don’t often think about supplier risk. Currently we’re working with a company to implement ISO27001 and as part of that process, we are checking their suppliers for information security standards and GDPR etc.
As part of checking suppliers for compliance, we needed a list of the suppliers and this particular company have outsourced their finance function to an accountancy firm. We asked the accountants to provide a list of the suppliers that had been paid in the last year. We’ve already had concerns about the Accountants and its GDPR compliance through previous conversations and document reviews with them and this request simply embedded the fact that they don’t understand what they need to do. As a result of asking for the supplier list, they rang us and they wanted to know whether it was possible to just send us all the list downloaded into an Excel document, which will include the company name, company address, and the suppliers bank details both their bank account and sort code. We obviously said we don’t need their bank account details or their sort code, we just need their company name and probably the postcode for the operating address.
This highlighted that the accountancy company are completely unaware of the requirements of security around information because they were just going to email us the bank account details. The fact that we don’t need the bank account details for any of these companies had completely passed them by.
Obviously, we’ve had a further chat with this accountants explaining what they need to be doing. But the company that we are working for, are rapidly coming to the conclusion that those accountants are unaware of their GDPR and security obligations and are worried about them losing their data or disclosing it inadvertently. As a result my client is now looking at other companies to provide the service.
When you’re working with suppliers, how do you ensure that they are taking care of your business information and any personal information you share with them so that they don’t put that information at risk?
If you’ve got any questions, or you want to know a bit more about ISO27001, we’d be happy to have a chat.