GDPR Local: Supplier Evaluation

How Do You Know Your Suppliers Are GDPR Compliant?

We explain why you should make GDPR evaluation a crucial part of your supplier onboarding.

You’re working with a new supplier. Or, perhaps, you’re simply reviewing an existing relationship. The service level agreement is in place. They’ve signed the non-disclosure agreement. If your suppliers process personal data on your behalf – and if you’re really on the ball – they may have completed a DPA (data protection agreement), and an SCC (standard contractual clause) if they operate in a country without data protection standards equivalent to GDPR.

Find more about DPAs and SCCs

You’d like to think that, in terms of the data privacy protection you offer your customers and the level of legal protection you offer your own business, you’re about as watertight as you could possibly be.

But day to day, irrespective of what they’ve signed or agreed, how do you know your suppliers are operating in a way that’s compliant with GDPR regulations? 

GDPR compliance – why the onus is on you

The compliance of third parties with GDPR policies is one of the most overlooked elements of the GDPR world. If you haven’t put measures in place (such as DPAs and SCCs) to ensure you retain control over the way suppliers collect, store or use the personal data they hold on your behalf, you’ll be responsible in the event of a data breach by that supplier.

At worst, that could amount to a fine of 4% of total annual global turnover or £17.5 million/€20 million, whichever is greater.

Even if you have dotted every regulatory i and crossed every data protection t – how do you know your suppliers are a) as GDPR compliant as you and b) are actually doing the things they’ve signed up to do? Legal protection will be of limited value in the face of the reputational damage that can follow a breach by a supplier.

So in addition to being GDPR compliant yourself, it’s important to have the assurance that the companies you are sharing your data with also take data protection laws seriously.

As a data protection officer for your organisation, how do you achieve that?

GDPR Supplier Evaluations

One of the most important elements of the GDPR support we offer clients is an in-depth supplier review. For each supplier, we conduct an evaluation not only of the GDPR-related documents they’ve completed – privacy policy, cookie policy, data processing agreements etc – but also of the processes as they have been implemented by that supplier.

After all, any policy is easy to sign up to; it’s often a little harder to apply it.

Our supplier evaluations guarantee the safety of the data, ensuring it will be processed lawfully and in accordance with the signed agreements. That’s a powerful reassurance for you and your customers. 

Meeting your data standards

Another reason the supplier evaluation is so important is that it identifies any cracks and discrepancies in the way you both handle your data obligations.

Take the example of a data request. As part of meeting your responsibilities under GDPR, you will have a process for handling data requests. So should your supplier, but those processes may differ. So what happens when a request relating to personal data a customer has shared with you arrives with the supplier?

Even though the supplier may not get directly involved in contacting the data subject, they should be aware of their responsibilities to forward the request to the data controller within the defined framework. They should also offer their support and assistance in handling the request.

It’s often these procedural elements that will be missed in establishing third party data relationships, yet they can have a vital role in ensuring that a well-thought out set of GDPR policies operate as intended in practice. 

Implementing data protection changes

With the evaluation complete, we rank the supplier’s level of compliance on a scale of 1 to 5. We’ll share that result with the data protection officer and suggest the safeguards that will need implementing.

The result is that you can stop worrying about whether your suppliers are GDPR compliant, because you know they are. 

To find out more about how GDPR Local’s Supplier Evaluations could give you the assurance you need over your third party data relationships, or for general GDPR advice, talk to us.

To arrange your Supplier Evaluation or to take advantage of everything else our GDPR consultancy offers, sign-up