5 min read

Writen by Zlatko Delev

Posted on: March 16, 2023

GDPR Local: Supplier Evaluation

How Do You Know Your Suppliers Are GDPR Compliant?

We explain why you should make GDPR evaluation a crucial part of your supplier onboarding.

You’re working with a new supplier. Or, perhaps, you’re simply reviewing an existing relationship. The service level agreement is in place. They’ve signed the non-disclosure agreement. If your suppliers process personal data on your behalf – and if you’re really on the ball – they may have completed a DPA (data protection agreement), and an SCC (standard contractual clause) if they operate in a country without data protection standards equivalent to GDPR.

Find more about DPAs and SCCs

You’d like to think that, in terms of the data privacy protection you offer your customers and the level of legal protection you offer your own business, you’re about as watertight as you could possibly be.

But day to day, irrespective of what they’ve signed or agreed, how do you know your suppliers are operating in a way that’s compliant with GDPR regulations? 

GDPR compliance – why the onus is on you

The compliance of third parties with GDPR policies is one of the most overlooked elements of the GDPR world. If you haven’t put measures in place (such as DPAs and SCCs) to ensure you retain control over the way suppliers collect, store or use the personal data they hold on your behalf, you’ll be responsible in the event of a data breach by that supplier.

At worst, that could amount to a fine of 4% of total annual global turnover or £17.5 million/€20 million, whichever is greater.

Even if you have dotted every regulatory i and crossed every data protection t – how do you know your suppliers are a) as GDPR compliant as you and b) are actually doing the things they’ve signed up to do? Legal protection will be of limited value in the face of the reputational damage that can follow a breach by a supplier.

So in addition to being GDPR compliant yourself, it’s important to have the assurance that the companies you are sharing your data with also take data protection laws seriously.

As a data protection officer for your organisation, how do you achieve that?

GDPR Supplier Evaluations

One of the most important elements of the GDPR support we offer clients is an in-depth supplier review. For each supplier, we conduct an evaluation not only of the GDPR-related documents they’ve completed – privacy policy, cookie policy, data processing agreements etc – but also of the processes as they have been implemented by that supplier.

After all, any policy is easy to sign up to; it’s often a little harder to apply it.

Our supplier evaluations guarantee the safety of the data, ensuring it will be processed lawfully and in accordance with the signed agreements. That’s a powerful reassurance for you and your customers. 

Meeting your data standards

Another reason the supplier evaluation is so important is that it identifies any cracks and discrepancies in the way you both handle your data obligations.

Take the example of a data request. As part of meeting your responsibilities under GDPR, you will have a process for handling data requests. So should your supplier, but those processes may differ. So what happens when a request relating to personal data a customer has shared with you arrives with the supplier?

Even though the supplier may not get directly involved in contacting the data subject, they should be aware of their responsibilities to forward the request to the data controller within the defined framework. They should also offer their support and assistance in handling the request.

It’s often these procedural elements that will be missed in establishing third party data relationships, yet they can have a vital role in ensuring that a well-thought out set of GDPR policies operate as intended in practice. 

Implementing data protection changes

With the evaluation complete, we rank the supplier’s level of compliance on a scale of 1 to 5. We’ll share that result with the data protection officer and suggest the safeguards that will need implementing.

The result is that you can stop worrying about whether your suppliers are GDPR compliant, because you know they are. 

To find out more about how GDPR Local’s Supplier Evaluations could give you the assurance you need over your third party data relationships, or for general GDPR advice, talk to us.

To arrange your Supplier Evaluation or to take advantage of everything else our GDPR consultancy offers, sign-up

Contact Us

Hope you find this useful. If you need an EU Rep, have any GDPR questions, or have received a SAR or Regulator request and need help then please contact us anytime. We are always happy to help...
GDPR Local team.

Contact Us

Recent blogs

EU AI Act Summary: Key Compliance Insights for Businesses

The EU AI Act is a pioneering attempt to regulate AI systems, striving for a balance between foster

AI Act: Fundamental Rights Impact Assessments (FRIA) – Who, When, Why, and How to Ensure Ethical AI Deployment

The European Union (EU) has positioned itself as a leader in shaping the responsible development an

How the Privacy Act Protects Personal Information in Australia

 As cyber threats loom larger and data breaches become more common, the significance of strong

Get Your Account Now

Setup in just a few minutes. Enter your company details and choose the services you need.

Create Account

Get In Touch

Not sure which option to choose? Call, email, chat to us

Contact Us

Stay Up-To-Date

Leave your details here and we’ll send you updates and information on all aspects of GDPR and EU Representative. We won’t bombard you with emails and you will be able to tell us to stop anytime.

Full Name is required!

Business Email is required!

Company is required!

Please accept the Terms and Conditions and Privacy Policy