In the preparation for GDPR and the UK refresh of the Data Protection Act it seems that some organisations, especially government departments and public bodies are asking some very awkward questions.
There are probably others going the rounds as well. Prefacing what I'm going to say with IANAL (I am not a lawyer) it makes sense to apply some rationality to this and maintain the proper borders between organisations. In general I do not believe that anyone has to promise to any one else, including the Government that they are going to obey the law. Extra contractual conditions won't provide any kind of indemnity to either party, remember that organisations that supply data have a duty of care to both the owners of the data (individuals), and whoever they share it with, that they indeed have the necessary permissions. There could potentially be a lot of 'indemnities' swapped around. But of course they mean nothing.
The same really holds true on being asked for copies of policies, procedures or even implementations. This isn't new behaviour there are some companies that seem to love forcing their own procedures down suppliers or even customer's throats. Being asked for the details of ISO 27001, the procedures for generating, holding and rotating keys and so on. Each one of these requests can be managed with a blanket 'We maintain and regularly review our policies in this and other areas in the light of Best practice and Regulatory conditions applicable at the time, this includes any legal requirements. The specifics of our policies, procedures and implementations are naturally commercially sensitive and are not to be shared.".
This is especially true over a right of audit. Unless the specifics of handling data can be entirely separated by supplier or third party it would be very difficult to allow third party audit without also exposing other data to which they had no reasonable access.
The last two points, contractually requiring or appearing to place the burden of performing the mandated deletion or forgetting of personal data, are going to be awkward for both supplier, third party and the owner of the data themselves. No organisation is going to want to have the unmitigated risk of a third party not being able to effectively delete or forget the data they've had, but this in no way absolves the data collecting company from their own obligations. There are practicalities around the deletion and forgetting of data which can mitigate some of the risk but first think about the shared risk of a collecting company and third parties that they may use to process, transform or manage that data for them. Those third parties are not just companies like Cambridge Analytica (who never needed identified information anyway), but any kind of service or processing organisation, lawyers, accountants, consultancies, outsourcing IT, off shoring, marketeers, job services, SaaS applications, on and on. All of them will have a shared risk.
Unlike Operational Risks, Business Risks should be singletons. If there isn't one policy, procedure, implementation in place, but many and those are determined by contract; there will be failure. The decision tree for making this sane is fairly obvious but there's a couple of things that might not be.
On the last point, which I want to elaborate on in lots of detail one day soon, it's important to not get bound up in definitions of Deletion, Forgetting and Archive that require adjusting the laws of Physics. The regulation so far, describes all of these states in terms of availability to the 'System' and access or use. Those are the states to concentrate upon. There are complications relating to Archive and legacy systems of many years standing but there are also ways of handling them.
CC BY-SA 4.0