Did you know that if any third-party vendor your company uses is not compliant with the General Data Protection Regulation (GDPR), you could be held liable for their actions? And even if you aren’t, your company’s reputation could suffer if a data breach occurs. The case for complying with GDPR is indisputable—the penalties are hefty and the public relations damage can derail your company’s performance. One thing is certain: detailed and ongoing vendor monitoring from a data protection perspective is critical.
Unfortunately, it’s not as simple as outsourcing data governance and privacy compliance to your vendors. You must conduct due diligence, have the necessary contract terms in place, and monitor vendor services to ensure they are processing data in accordance with the GDPR’s data protection regulations.
What kind of data must be protected? Personal data or any information that could be used to identify a person, including name, photo, email address, date of birth, ethnicity, religion, bank account details, purchase history, medical information, or employment history.
In the context of third parties, this includes the contact details of supplier personnel, such as their name, phone number, business email address, or job title. Make sure you only collect third-party personal data that’s required, handle that data appropriately, and properly discard the data when it’s no longer needed.
It is your company’s responsibility to ensure that any third parties that process the personal data of your employees, clients, or customers have the appropriate processes and security in place to protect that data. You must also ensure that they comply with the GDPR when handling and processing personal data.
For example, your company may use third-party data processors to perform payroll services and administer employee health and retirement plans. Such third-party vendors will handle personal data, including sensitive personal data. It’s essential to conduct due diligence on these and all third-party vendors before sharing the personal data of your employees or customers. If you suspect a vendor is unable to meet the GDPR requirements, you will likely need to find alternative suppliers who can ensure compliance.
Here are the top five things to consider when making sure your company’s procurement is GDPR compliant:
1. Understand your data. Map personal data flows through supply chains, identifying recipients of personal data and where the personal data is processed.
2. Review new and update existing contracts for GDPR compliance. Identify existing supplier contracts involving personal data and review their data protection provisions.
3. Assess suppliers’ approaches to contractual risk. The risks posed by the regulation may change the risk profile of organizations, requiring a different approach to liability for data protection and data security breaches.
4. Examine the supplier selection process. Conduct due diligence on new suppliers to ensure GDPR compliance, secure guarantees regarding suppliers’ procedures, and ensure the contract includes audit rights, as well as other mandated data processing provisions.
5. Confirm that existing policies cover data protection and security breaches, including supplier breaches. Confirm that organizations are ready to comply with the 72-hour breach notification requirement.
By conducting due diligence, putting in place the necessary contract terms, and monitoring vendor services to ensure they are processing data in accordance with data protection regulations, your organization will be well-positioned for the new world order of data protection as set forth by the GDPR.