How to manage data protection risks when buying software

Terrible Software Contracts

This is a topic I’ve touched on in my last two blog posts, but as I keep seeing more terrible* contracts from software firms, I wanted to write in more detail about how to manage data protection risks when buying software.

*Terrible for the customer, that is. Great from the supplier’s point of view, with clauses that put all the risk on the customer and none on the supplier, all while making it appear that the supplier has only the customer’s interests at heart.

When you’re procuring software, as well as being able to handle your data and produce reports in a user-friendly and effective way, you know it needs to keep the data secure, to help you comply with data protection law.

The problem is though, a lot of the investment into secure and efficient technology is based in the USA, and being US-based brings risks that usually get downplayed (or even hidden) by those US-based tech companies. Which is understandable from their point of view perhaps, but it presents us in the UK and EU with potentially very high risks. I’m not necessarily averse to risk, especially if the payoff makes it worth it, but risks shouldn’t be accepted if they’ve not been identified and assessed first.

Software Buying Checklist

So here’s what to look for, and how to manage data protection risks when buying software for processing personal data. (You can access this as an interactive checklist at the bottom of the page.)

Functionality: There will likely be more than one software solution that has the functionality you need, that can do what you want it to, and process data in the way you need it to. So stay open-minded while you check all of the other criteria in this list.

Security: What security measures are in place? Are they the most appropriate for the level of risk represented by the type of data you’re handling? The higher the risk, the tighter the security should be.

Geographical data storage risks: Where does the company propose to store your data? The increase in ‘cloud’ storage means software users don’t always think about where the data is actually stored – where that cloud is anchored, we could say. Many US-based companies use UK or EU based servers for storage, which helps reduce the risks, so do confirm where your data would be stored.

Geographical company ownership risks: Where is the software company based? Even if the data is stored in the UK or EU, a US-owned company might still have to give the USA government access to your data, if requested. This risk needs to be assessed, and controlled as much as possible, if it can’t be avoided by using a UK or EU based software company.

Contract risks: Does the company’s standard contract include all the legally-required data protection clauses? Remember that those clauses are there to protect you, the purchaser, and it’s your responsibility to make sure they are in the contract. It’s not unusual to see supplier contracts that do NOT include those clauses.

Expert help: I’m not a technical expert by any means, so I recommend you reach out to an expert to help you review the functionality and security measures of  software solutions. Someone like Chris Page of IT Service Match, who offer a free service to help you find your best fit IT service. If you need help with the geographical risks or the contract clauses, CP Data Protection can review and amend contracts, or provide you with data protection clauses to include in the supplier’s contract. If the contract includes managing the implementation too, you will want an expert IT contract lawyer to review the contract for other types of risks too. Someone like my colleagues at Anthony Collins Solicitors.

Golden Rule of Data Protection

It may seem cynical, but my golden rule of data protection is “Take nothing for granted” and I think it’s never more important than when purchasing software to process personal or sensitive data.

Remember these are YOUR risks, and it’s just not in the sellers’ interests to be open and honest with their potential buyers about the risks explained here, so please take time to understand, assess and manage your risks yourself.

Having processes in place to help you manage data protection risks when buying software is part of a data protection governance framework. To download this information as an interactive checklist, and hear more about building a DP governance framework, fill in your details below.

(You can unsubscribe at any time.)

If this article has been useful, please share it with your network. If we’re not already connected, find us on LinkedIn and Twitter.


    • Thanks Chris! Absolutely, all too often we’re asked to review software or a contract and find it’s problematic, when the buyer has already decided they are buying that software. Sometimes the contract has already been signed…

Leave a Reply

Your email address will not be published. Required fields are marked *