ONCE UPON A TIME...
A CFO of a listed company forwards an e-mail to the data protection officer (DPO) with the following message:Hi,
I received this e-mail receipt FROM INDIA that relates to an internal e-mail that was highly confidential as it included the preliminary numbers for this quarter of (subsidiary X). Could you have a look at this? We really need to know what happened here. I am not convinced that this is insider information, but even so, better be careful and prepared. Keep me up-to-date!
So the search began.Best regards.
The e-mail-account of the receipt was a clear indication. It was an "Indian looking" name and the domain name of the e-mail maintenance contractor, who was established in the EU. So the DPO contacted the procurement department for the agreement.
A quick look at the agreement learnt that the contractor did not indicate any subcontractors to do the job, but on the other hand also was a bit fuzzy on whether or not the contractor had to get prior consent of the company to subcontract. It also mentioned an account manager for the company and an escalation path should it be necessary.
The DPO, with the procurement department manager in CC, contacted the account manager at the contractor. Simple question:
Dear Sir,I am the Data Protection Officer of (Company C).I attach a screenshot of an e-mail receipt our CFO received that indicates that somebody of of for your company that does not seem to reside in the European Union had access to this e-mail.As I read the agreement between us (reference number xxx) I do not see any indication that the e-mails, which per se are personal data, are to exit the EU. As you know EU data protection legislation requires us to set up controls if and when our personal data is transferred outside the EU. This receipt therefore worries us. Could you, please, provide us as soon as possible with the context of the e-mail receipt.
Thanks in advance.
The same day the account manager could already confirm that there was a subcontracting agreement to an Indian company. But normally accounts would only be handled in that offshore location after having agreed upon an addendum to the agreement regulation the transfer outside the EU. Apparently we had not yet signed that addendum so something went wrong. As for the specific "peek" he committed firmly to immediately get to the bottom of this. He must have felt this might turn into a big issue, so he immediately CC'ed his legal department in the discussion.
The day after my e-mail to the account manager the DPO already knew more about the person mentioned in the e-mail receipt. It was someone who "no longer worked for the Indian company". The DPO never asked, but very likely this inciden led to the termination of that employee's agreement. In any case, there was no further explanation why the e-mail receipt was sent out and why the employee had access to that information.
During the investigation on the contractor's side, the DPO also got a glance at the information in the original e-mail : on-screen, in the CFO's office. It could be determined that the information clearly was not insider information (too vague, too small an impact on the overall numbers,...), so the financial supervisor did not have to be notified. This supported the decision not to panic over this individual case, but to focus on a solution for the future with the contractor. The classification of highly confidential was however upheld, as it was considered a good thing not to get people confused on the notion and skewing to the save side was preferred over the alternative.
So, not really wiser on the specific incident, negotiations started with the contractor to amend the agreement. Luckily the legal department of the contractor had in depth knowledge of data protection regulation and so the solution for the transfer, even if it was first to an EU contractor and then to a non-EU subcontractor, although not foreseen in the solution of standard contractual clauses, went rather fast. Within a month a final draft was reached and ready for execution.
(We will not go into the details of the solution, as we will pick that up in another section.)
COMMENT
This is a great story to show that a DPO often learns of issues through small signs.
The small signs have to be captured by people "in the field". They have to be open for anomalies and capture them. That is why awareness traning is so important. The entire staff being the DPO's eyes and ears is the equivalent of being Argus Panoptes, the guardian with 100 eyes.
The staff needs to be comfortable in reaching out to the DPO. The treshold has to be low. There are a number of requirements to get that relationship with the staff: speed and tone of response, openness, consistency in policy and anwsers, etc. We will go into that in another series.
The DPO has to be able to triage whether a sign is just a small symptom or a small sign of a (potentially) bigger issue. Here knowing the organisation really well and experience through reading, contacts with colleagues, etc. are a big help.
Finding out more about what happened of premises at a contractor can be done in several ways, ultimately by an on premise audit as should be provided in the agreement, but... one has to choose wisely what path to take. Quite often the contractor has an interest in finding things out as well. So cooperation and open communication is often a good starting point to find a solid solution quickly. Immediately going for the escalation will in most cases close a number of doors even before the investigation is properly started.
There are a few other lessons on the agreement as well, but we will leave that for another story.
THE POWER OF STORIES
(repetition of the intro of the series:) Stories are of all times, but lately organisational behaviorists and marketers have a renewed interest in them. DPOs have stories as well of their own experience or heared in there community. And they should use them to engage the organisation, at least to raise awareness, questions and/or discussions. Note that we keep some obscurity and that any reference to a name or situation you may know is likely to be based on coincidence. :-)CALL TO ACTION
Do you have any good stories? Can you (pseudonomised) share them? (If so, please, do.)
No comments:
Post a Comment