Supply Chain GDPR

Ensure your third party suppliers are compliant
GET A QUOTE

Do you think you’re GDPR compliant? If your suppliers aren’t, you aren’t!

If your business relies on third-party suppliers to operate, it is your responsibility to ensure their processing activities satisfy the demands of the GDPR.

Should one of your suppliers suffer a breach involving your personal data, if the appropriate due diligence has not been completed, as the data controller, you will be liable and subject to any monetary penalties or processing restrictions imposed by the ICO.

Much of our work at PRIVACY HELPER involves educating firms on the risks of not conducting the required due diligence on suppliers before engaging with them. Although the supplier claims they are “GDPR compliant”, very often they are not and many fail to satisfy our stringent due diligence process.

Why are you responsible?

As the data controller, the GDPR states that you assume liability for the processing activities within your business, including your external suppliers – known as processors – and any suppliers they may engage with – your subprocessors.

If your suppliers engage with sub-processors to process your personal data, then the GDPR states they must gain your permission in writing – and provide details of their due diligence process. Have yours done this? If not, we can act on your behalf and ask them the right questions.

If either your processor or subprocessor breaches your personal data and fail to notify you, then the regulator will hold you accountable. Both the supplier company and you would likely have financial penalties imposed.

Our approach

We offer a 3 stage process to firms who engage with us to ensure their supply chain can demonstrate compliance. These cover operational and organisational compliance, technical and legal compliance, a summary of their wider processing activities.

Stage 1

Working with you, our privacy specialists will create a list of the top 10 suppliers, or top 10% of suppliers (depending on your business size) who are most critical to the business operation or have access to the most sensitive data in relation to the nature of your business. Based on the types of data processed, our team will help you to identify your priority suppliers.

Stage 2

Our team will send a due diligence questionnaire to the supplier, asking them to demonstrate their compliance in multiple areas:

  • Organisational – including insurance policies held, the data protection and governance framework for the business, and staff training programmes.
  • Processing – the data protection and data governance framework around the processing activities of the supplier in relation to their wider client base.
  • Technical – details of their technical certifications, security policies and procedures.

Based on the ability and nature of the response to this due diligence document, our specialists will make recommendations to you as to the suitability of the supplier in line with the demands of the GDPR.

In our experience, most businesses are unable to answer all questions on the document, however, based on the questions they do answer, we can advise you as to the risks this poses to your business in the event you engage with them. You can then make an informed business decision as to the next move.

This should be considered a critical element to your supplier onboarding process as their responses will help both of us understand how seriously they have approached their privacy obligations – and how easily they can demonstrate these.

Stage 3

Any organisations you share data with should have a Data Sharing Agreement, or a Data Processing Agreement in place with you. This contract contains specific privacy clauses such as:

  • Confirming the respective roles and obligations – data controller/data processor.
  • How the personal data they process for you should be transferred (internally and externally).
  • What technical and security measures the supplier should ensure are in place for the storage of personal data?
  • How the supplier is required to demonstrate compliance.
  • The obligations of the supplier to react in the event of a breach involving your personal data – timescales, etc.
  • The support you can reasonably expect the supplier to offer in the event of an investigation of a data breach.

Although you are likely to have an agreement or contract in place with your suppliers, in our experience, it is unlike to include sufficient privacy clauses.

Using the information from the due diligence document, our specialist data protection legal advisers will draft an addendum to ensure you are covered in the event of a breach by your supplier.

This means your supplier will be contractually obliged to comply with the GDPR in line with your expectations as the data controller. In the event of a breach, they must also provide all reasonable support to ensure you are able to meet your 72-hour deadline set by the ICO.

While reviewing these documents, we can also include the appropriate safeguards and legal mechanisms are in place in the event of cross-border data flows.

Should the supplier fail to maintain their compliance, or their processing activities do not reflect the clauses of their data processing contract they have with you, this becomes a breach of contract – which you, as the data controller, are protected against.

In our work, we have come across supplier companies whose service is a perfect fit for the business we are engaged with, however, their privacy considerations are a huge concern – and your business will be taking on this risk.

You also need to consider if your business insurance would cover you in the event of a data protection incident with you knowing your preferred supplier wasn’t compliant.

By engaging with our specialists and conducting detailed due diligence on your suppliers, we will help you identify the greatest unknown privacy risks to your business – significant fines have already been imposed by European regulators and our experts could save you from similar action from the ICO.

By engaging with us we can massively reduce the potential risk to your business posed by non-compliant suppliers – and in many cases, working with those suppliers to ensure your privacy concerns are met and the business relationship continues.

What to do next

If you’re in any way concerned about the risk borne from your supply chain – or just a specific supplier that may have been investigated by the ICO on another matter, then call us today.

Simply tell us a bit about the nature of your business, their role in your operation and the type of personal data they process and we will quickly outline the potential risk to your organisation.

If you need our help, then we’ll send a proposal of engagement over and can begin work once this is signed off. Your privacy concerns are our privacy concerns and we’ll do all we can, as quickly as we can to address this.

Clear, Transparent Pricing

Just like the GDPR demands your processing be transparent at all times, our fees are also transparent – there are NO hidden, or unexpected costs. Everything is explained clearly to you in advance, ensuring you never exceed your budget.

GDPR Gap Analysis

A detailed comparison between your current data protection practices and requirements of the GDPR

£150 per hour + VAT

Project price based on project scope

  • GDPR Gap Analysis
  • Compliance and risk analysis
  • Document review
  • RAG report
  • Compliance action plan
GET STARTED

GDPR Compliance

Create an effective Data Protection Framework by addressing identified areas of non-compliance

£150 per hour + VAT

Project price based on project scope

  • Create or update relevant policies
  • Define and implement processes
  • Train on record management
  • Support 'Data Protection Culture'
  • Guide on compliance and risk
GET STARTED

Outsourced DPO

Managing your Data Protection Compliance Framework and upholding obligations

From £595 +VAT per month

Available from ½ day per month

  • Designated qualified DPO
  • Interacting with the ICO
  • Supporting DSARs & DPIAs
  • Conducting Due Dilligence
  • Guiding on compliance and risk
GET STARTED

GDPR Training

Training portal available as part of a package or as a standalone service

Online training
From £2.50 +VAT

per user per month

E-learning platform

  • GDPR/Privacy training
  • Supports Compliance Framework
  • Bespoke training programmes
  • In-person training for key staff
GET STARTED

Free PRIVACY HELPER GDPR / Cyber Security training starter pack available with any new project - terms apply.

why choose icon

Why choose us?

Find out more about us, and why we are a leading UK privacy consultancy.

ABOUT US
cost icon

How much will this cost?

Our pricing structure is simple, straightforward and highly competitive. Head over to our pricing page and take a look at our most popular packages.

PRICING PAGE
what next icon

What next?

Get in touch via our contact us page, tell us about your business and a member of our team will get back to you.

CONTACT US

Other services you may be interested in from PRIVACY HELPER

Security Icon

GDPR Consultancy

Our Privacy Team consists of expert data protection consultants in the fields of IT & Technical, Legal, Records Management and Marketing.

GET STARTED
training courses icon

GDPR Training Courses

An effective, demonstrable training programme can be the difference between the ICO imposing monetary fines – or not, even if your data privacy programme has just started.

GET STARTED
marketing compliance icon

Marketing

Is your marketing activity legal? We can make sure it is.

GET STARTED