GDPR: Do you know which of your suppliers are processing personal data?

Posted on 31st July 2019

Did you know it's been over a year since GDPR, the biggest shake-up in the history of data protection regulation was introduced across Europe? Those annoying 'consent to using cookies' messages which pop up every time you use a website are evidence that companies are taking the changes to processing personal data seriously. However, ongoing compliance is necessary to avoid significant fines and sanctions the Information Commissioner's Office (ICO) can now impose. High profile cases where sanctions have been applied include a penalty of £183m for British Airways for a breach of customer data. They also fined the Marriot hotel chain £99m for not protecting personal data.

And it’s not just big businesses being penalised. In Poland the regulator fined a digital marketing company £220 000 and in Germany a chat platform £20 000. While you may have your GDPR compliance in the bag, did you know you are also responsible for ensuring your suppliers do too?

Your responsibilities

You might think a supplier's data breach is their problem, but you'd be wrong. Both you and the supplier are equally accountable for data security. Moreover, it will be your reputation that will suffer as your customers deal directly with you, not them. Under GDPR guidelines, companies have 72 hours to inform the regulator about a data breach. You need to make sure your supplier tells you about the breach ASAP so you can decide next steps with them within those 72 hours.

How to stay compliant when processing personal data


Start by carrying out a due diligence exercise of both your own and your suppliers' data management. Map out where your data comes from and is transferred to. From there, you can ensure your and your suppliers' data transfer systems are secure. It would be best if you also had documented procedures for dealing with customer permissions for using their data, for example, updating third parties on what the permissions are.

Maintain a register of all suppliers

Maintaining a central register of your suppliers and secondary suppliers reduces the risk of someone falling off the radar. You can also use it to put a plan in place to periodically review your suppliers’ data processing activities. 

Review your supplier contracts

The Information Commissioner's Office (ICO) guidelines state you must have a contract in place with each supplier processing personal data on your behalf. Your current contracts will no doubt include clauses relating to data processing. However, make sure they are clear on the data your suppliers can collect, store and transfer. The contract should also detail whether they act as a data controller or a data processor.

Contracts should stipulate the standards you expect the supplier to adhere to concerning processing personal data. Also, who is liable in the event of a breach, the right to carry out data breach audits and the timeframe in which a supplier must notify you of any breach which occurs.

Be proactive when assessing risks

During the procurement process, best practice dictates that firms should issue potential suppliers with questionnaires regarding their data security and management processes. A questionnaire will give you visibility into how potential suppliers store and process personal data and should include questions on:

·       Data storage

·       Data processing

·       Data protection

·       What systems they use

·       Customer consent methodology

·       Compliance checks

·       Staff training

·       How they monitor secondary suppliers

·       How they will communicate breaches 

Carry out audits


GDPR sanctions take into account how negligent a company was regarding both processes and the circumstances of the data breach. Therefore, it makes sense to take a proactive approach to data security, which includes regular reviews of your suppliers' data management. Carrying out data breach audits on high-risk suppliers not only shows a commitment to compliance, it will also uncover vulnerabilities the supplier needs to address.

Invest in supplier relationship management (SRM) software

Managing your supplier relationships using SRM software can help you avoid supplier data breach issues by minimising supply-side risks. Regular reviews of performance against contractual terms and maintaining open communications will alert you to any problems the supplier may be experiencing. You can then support them in coming up with solutions or suspend the relationship until they resolve the issue.

SRM solutions can be used to force supplier managers to address essential GDPR considerations such as the nature of personal data handled, whether the data is located in the EEA and who is the data controller and processor. They can also save your team time by generating automated communications with suppliers and by embedding GDPR questions within automated due diligence questionnaires for completion by suppliers.

The software will also help your business become more efficient by centralising all supplier data and automatically generating management reports and reminders for your staff. It also improves your visibility of supplier performance and provides a communication tool so you can keep in regular contact with your suppliers. 

What to do if you discover a breach

If you discover a breach, your data controller should determine if it is a breach that needs to be reported to the ICO. If it is a reportable breach, you have 72 hours from when your data controller becomes aware of it to report it. You may also have to notify the individuals affected if it poses a high risk to them.

An element of your risk mitigation strategy should be to have a contingency plan already in place to deal with a supplier data breach. You should work with your supplier to put the plan into action, review your technical and operational protection measures and make amendments to secure your data effectively. This may include shutting down some aspects of your operation until you carry out the remedial work and can confirm there are no further risks of a breach. Reacting swiftly is crucial to limit both the effect on your customers and your reputation.

As part of your ongoing data management, keep up-to-date with ICO guidance on Data Protection, update your GDPR compliance processes and procedures and regularly check your suppliers are also compliant. This will reduce the risk of incurring a penalty for non-compliance and any reputational damage from adverse publicity a fine would bring.

Back To Blog »
© Copyright 2021 Atamis LtdWeb Design By Toolkit Websites