Search Our Site

We have 3,762,441 registered online learners.
1,230 new learners so far today.

Do your suppliers comply with the GDPR legislation?

schedule 16th November 2017 by Hannah Gorton in Virtual College Last updated on 24th April 2018

Supplier in warehouse with a tablet

The General Data Protection Regulation (GDPR) is coming into effect on 25 May 2018 changing how organisations collect, process and store personal data. Your organisation might have already started preparing to ensure it complies with all the new legislation, but have you thought about your suppliers?

The GDPR applies to both controllers (those who say how and why personal data is processed) and processors (those who act on the controller’s behalf) who operate within the EU or offer goods and services to those in the EU.

So, under the new GDPR legislation, your organisation will be held accountable for any data privacy breaches of your customers’ personal data which happens along the supply chain.

If your suppliers are the weak link, they can adversely impact your organisation, causing severe fines and penalties, reputational damage and even a ban on data processing activities.

So, how can you ensure your suppliers comply with the GDPR legislation? CIPS have created a list of six steps:

1. Map the flow of personal data, to see who it’s going to and where it’s being processed. You will need to ensure you know where your data goes as you will have 72 hours to notify the ICO and those affected by the breach, including customers, suppliers and staff.

2. Review your existing supplier contracts and review the data protection provisions - these might need to be updated.

3. Revise your organisation’s approach to risk when looking at new suppliers - the new GDPR legislation might change how your organisation profiles financial and reputational risk.

4. Carry out due diligence on new and existing suppliers to check their compliance - do they have strict policies in place about how they collect, process and store personal data?

5. Check your insurance policies to make sure they cover data protection breaches by suppliers.

6. Put processes in place to ensure your organisation can meet the 72-hour notification period in the event of a breach.

Understanding whether your suppliers comply with the GDPR legislation, or are preparing to get policies and procedures in place for GDPR can help you show the regulator and your customers that your organisation is doing everything in its power to ensure your customers’ personal data is protected and, in the event of breach, you have measures in place to follow the correct procedure.

For more information on how to prove you and your suppliers are meeting GDPR legislation, check out our article here.

Related resources

Hannah Gorton Author

Author: Hannah Gorton

Hannah is a content writer for the marketing team at Virtual College. She has a degree in English literature and writes articles and blog posts for a range of topics within the learning industry. In her spare time she enjoys reading, knitting and gaming.

ISO 9001:2015
Crown Commercial Service Supplier
LPI Accredited Learning Technologies Provider


+44 (0)1943 605 976

Virtual College

Marsel House


West Yorkshire

LS29 8DD

Awards for footer
Gold and silver award winners at the Learning Technologies Awards 2017 - including gold for excellence in the design of learning content.


We are in the process of moving to one Virtual College website. If you want to go back to a course, or start a course, bought from our old website then you may need to login to our original learning management system. Otherwise, please proceed to our new learning management system to return to your training.


You are already logged in. Click the button below to be taken to your LMS dashboard. Alternatively, click logout to leave the system.