The European Union General Data Protection Regulations have been around long enough that they have become familiar, with people more aware of their responsibilities towards protecting data than ever before. However, one area that we find companies fall down the most – two years after the regulations came into force – is with GDPR and supplier management.
Have you considered how your vendors are processing your data?
If you operate in the EU (which means you hold data of EU citizens) and use third-party suppliers, your GDPR responsibilities also extend to any suppliers working for your business. This means that if your suppliers or vendors have a data breach, it is most definitely your problem. And when the potential result is a fine of up to €20 million or 4% of global annual turnover, it’s well worth protecting your interests here.
To protect your business from potential data breaches and stay compliant with the European legislation, it is important that you cover GDPR in vendor contracts. Before you do so, you’ll want to discuss how you and your third-party suppliers will process data in your roles working together.
GDPR Insight for Vendor Contracts
Define your GDPR Supplier Management Responsibilities
There’s no one-size-fits-all approach to GDPR and third-party management as each company has its own way of processing and storing data. Your main objective should be to create a clear agreement about accountability and liability. Questions to consider at the supplier sourcing stage are:
- Does your supplier have an appointment Data Protection Officer?
- How often do they review/update their policies for processing data?
- Where do they store their data? What systems and third parties do they use?
- How do they encrypt personal data?
- How would they identify and deal with a data breach?
- Do they have a process for destroying data?
Once you are confident in their internal GDPR compliance, we recommend that you define the responsibilities of each party clearly and ensure GDPR is a contractual obligation for third parties. This way, you have written evidence that once you transfer data securely out of your systems and to your supplier, they have robust processes to ensure continued compliance.
Plan for the Worst
Even with the most detailed Impact Assessments and Data Processing Agreements in place, there is always the chance a personal data breach can happen. Make sure all contracts you have with your third-party suppliers detail what needs to be done if the worst happens.
- What are the supplier’s responsibilities towards reporting the breach?
- How much support will your company provide to minimise the impact of a vendor GDPR breach?
- Is your supplier contractually obliged to take action on a breach at no extra cost to your business?
- If you’re concerned about a supplier’s ability to keep data secure, or act in the case of a breach, there are a few options for you.
- Insist on suppliers using your encrypted systems for data processing to minimise risk during data transfer.
- Find another supplier that won’t risk your data security. Sometimes, it just isn’t worth it.
Agree Reviews and Audits
When writing GDPR into vendor contracts, you should plan audits and reviews of GDPR policies and procedures on an annual basis. While this can be a requirement for the supplier to complete, we would recommend being involved in annual policy audits as, when all’s said and done, it is your responsibility.
Create a Plan for Deletion
Lastly, it is essential to define when the data no longer needs to be held by the Data Processor, and what should happen when that time arrives. Ensure that the supplier will delete all data within the timescales required, and define how they will document and inform you of the deletion.
Engage the GDPR Supplier Management Experts
If you are concerned that you are not meeting your legal responsibilities towards GDPR in vendor contracts, seek advice from an expert. The cost of a data breach far outweighs the investment for a professional to manage your supplier GDPR.
Get in touch with us at Certainty Solution for a free consultation on your supplier management.