This blog focuses on an aspect of the GDPR compliance which can be particularly challenging for a number of organisations, namely, how do you ensure your supply chain complies with the Regulation when processing personal data? The obligations for data controllers to manage the processing of personal data throughout their supply chain are clearly set out in Articles 28 and 29 of the GDPR, and there were similar obligations to obtain ‘written guarantees’ from suppliers and service providers in previous legislation.
As a data controller, you bear the crucial responsibility of safeguarding the rights of individuals and upholding the secure processing of their data. This duty necessitates the extension of your compliance measures to encompass external organizations that handle or have access to your data through contractual arrangements. While implementing contract change notes or GDPR contract addendums to existing suppliers might be a relatively straightforward task, the process can become considerably more complex and challenging when it comes to onboarding new suppliers.
When addressing existing suppliers, the incorporation of additional contractual clauses or revisions to existing agreements can be a manageable task, as there is already an established working relationship. However, when you are in the process of bringing new suppliers into the fold, several factors come into play.
[if !supportLists]1. [endif]You need to ensure that your GDPR Compliance requirements are clearly communicated to these potential partners from the outset. This entails the development of comprehensive supplier evaluation criteria that encompass data protection and privacy standards.
[if !supportLists]2. [endif]You must work closely with your legal and compliance teams to draft legally sound contractual terms that align with the GDPR principles and regulations. These terms should outline the specific data protection obligations, responsibilities, and liabilities of the new suppliers, ensuring that they adhere to the same high standards as your existing partners.
[if !supportLists]3. [endif]As you embark on the onboarding journey with new suppliers, proactive communication and collaboration will be vital. Regular dialogue and training sessions can help them understand the significance of GDPR Compliance and the role they play in maintaining it. By fostering a cooperative approach and clear lines of communication, you can enhance the likelihood of successful onboarding while maintaining the security and integrity of the data under your control.
To assess whether a new supplier has sufficient security controls in place to protect your personal data to a level that meets or exceeds your own standards, it is crucial to involve a data protection/GDPR specialist in the onboarding process. Typically, this specialist would be your data protection officer (DPO) who has the expertise to evaluate the controls implemented by potential suppliers and has the authority to veto any contracts that do not meet the required standards.
We often find the supplier onboarding process misses some fundamental trigger questions, namely:
Will this supplier’s services require access to our personal data or our premises where we process personal data?
Will this supplier provide services that will host or operate systems that will hold or process our personal data?
If the answer to either question is yes, then you need to involve your DPO in the supplier assessment process. As with any process, there are always a few ‘rabbit holes’ to look out for. Here a few to consider:
In some organisations, departmental or functional heads have the ability to sign off services up to certain spend limits, without having to go through formal procurement or supplier engagement processes. And whilst there may not be a big spend involved, there could be a big risk in terms of non-compliance with the GDPR.
Staff policies often contain statements relating to the installation of software on company equipment, but no restrictions on acquiring ‘online’ services. As such, before you know it, your personal data may end up being processed or accessible by an unknown third party offering a ‘free’ service.
Some supplier relationships are based on long-term business opinion or service experience, without a contract at all. As we know, this can be dangerous ground with personnel and structural changes to the organisation, e.g., mergers, takeovers.
Big and small technical departments alike often circumvent the process when under pressure to deliver new or upgraded technology. The supplier management process must link into IT change management and IT project management to identify those seemingly innocent tools, plug-in apps and cloud ‘platform’ services. All of these can have implications for protecting personal data and, ultimately, the responsibility lies with you!
It's crucial to acknowledge that the ultimate responsibility for safeguarding personal data rests with you, and it's imperative to establish comprehensive supplier management procedures to guarantee GDPR compliance across the entire supply chain. Seeking guidance from GDPR consultants can be highly advantageous for obtaining additional information.