Supply Chain Compliance with the GDPR

|
|
PUBLISHED on
22 Jul
2022

This blog focuses on an aspect of the GDPR which can be particularly challenging for a number of organisations, namely, how do you ensure your supply chain complies with the Regulation when processing personal data?  The obligations for data controllers to manage the processing of personal data throughout their supply chain are clearly set out in Articles 28 and 29 of the GDPR, and there were similar obligations to obtain ‘written guarantees’ from suppliers and service providers in previous legislation.

If you are a data controller, you are required to protect the rights of individuals, including the secure processing of their data.  This obligation entails passing compliance measures down to any external organisations that process or access your data via contractual conditions.  Sounds straightforward, eh?  You just issue a contract change note or GDPR contract addendum to all your existing suppliers.  Unfortunately, it gets a bit trickier when it comes to new suppliers.  How do you assess whether the new supplier has sufficient security controls in place to protect your personal data to a level that is equal to, or greater than, your own?

The answer is to ensure that you have a data protection/GDPR specialist involved in the onboarding of any new suppliers.  Typically, this individual would be your data protection officer (DPO), who is responsible for assessing the controls a potential new supplier has in place to protect personal data and would ultimately have the power to veto any contract being signed.

We often find the supplier onboarding process misses some fundamental trigger questions, namely:

  • Will this supplier’s services require access to our personal data or our premises where we process personal data?
  • Will this supplier provide services that will host or operate systems that will hold or process our personal data?

If the answer to either question is yes, then you need to involve your DPO in the supplier assessment process.  As with any process, there are always a few ‘rabbit holes’ to look out for.  Here a few to consider:

  • In some organisations, departmental or functional heads have the ability to sign off services up to certain spend limits, without having to go through formal procurement or supplier engagement processes. And whilst there may not be a big spend involved, there could be a big risk in terms of non-compliance with the GDPR.
  • Staff policies often contain statements relating to the installation of software on company equipment, but no restrictions on acquiring ‘online’ services.  As such, before you know it, your personal data may end up being processed or accessible by an unknown third party offering a ‘free’ service.
  • Some supplier relationships are based on long-term business opinion or service experience, without a contract at all.  As we know, this can be dangerous ground with personnel and structural changes to the organisation, e.g., mergers, takeovers
  • Big and small technical departments alike often circumvent the process when under pressure to deliver new or upgraded technology.  The supplier management process must link into IT change management and IT project management to identify those seemingly innocent tools, plug-in apps and cloud ‘platform’ services.  All of these can have implications for protecting personal data and, ultimately, the responsibility lies with you!

Do you need assistance in improving your GDPR compliance position?

URM can offer a host of consultancy services to improve your DP policies, privacy notices, DPIAs, ROPAs, privacy notices, data retention schedules and training programmes etc.
Thumbnail of the Blog Illustration
Data Protection
Published on
14/3/2024
URM Analyses ICO’s Enforcement Actions Since the GDPR was Introduced in 2018

URM’s blog breaks down which Articles of the GDPR have seen the greatest number of enforcement actions by the ICO, and which have gone largely unenforced.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
29/5/2024
First official European response to the Data Protection and Digital Information Bill

URM’s blog explores the first formal European response to the DPDI Bill, and how the Bill may jeopardise the UK’s adequacy status when it reforms the UK GDPR.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
5/6/2024
Data Protection Considerations for Data Analytics

URM’s blog explores the data protection considerations for data analytics tools, and how to reap their many benefits while still maintaining GDPR compliance.

Read more
We cannot thank URM enough for their help in ensuring our business is GDPR compliant. Both the gap analysis conducted and the in-depth assistance with the ROPA were made much easier and understandable with URM’s help. I would like to give particular thanks to URM's Consultant for providing us with the best guidance and making a famously complex topic comprehensive, and to our Account Manager for helping make sure all our needs were covered.
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.