The General Data Protection Regulation (GDPR) is coming into effect on 25 May 2018 changing how organisations collect, process and store personal data. Your organisation might have already started preparing to ensure it complies with all the new legislation, but have you thought about your suppliers?
The GDPR applies to both controllers (those who say how and why personal data is processed) and processors (those who act on the controller’s behalf) who operate within the EU or offer goods and services to those in the EU.
So, under the new GDPR legislation, your organisation will be held accountable for any data privacy breaches of your customers’ personal data which happens along the supply chain.
If your suppliers are the weak link, they can adversely impact your organisation, causing severe fines and penalties, reputational damage and even a ban on data processing activities.
So, how can you ensure your suppliers comply with the GDPR legislation? CIPS have created a list of six steps:
1. Map the flow of personal data, to see who it’s going to and where it’s being processed. You will need to ensure you know where your data goes as you will have 72 hours to notify the ICO and those affected by the breach, including customers, suppliers and staff.
2. Review your existing supplier contracts and review the data protection provisions - these might need to be updated.
3. Revise your organisation’s approach to risk when looking at new suppliers - the new GDPR legislation might change how your organisation profiles financial and reputational risk.
4. Carry out due diligence on new and existing suppliers to check their compliance - do they have strict policies in place about how they collect, process and store personal data?
5. Check your insurance policies to make sure they cover data protection breaches by suppliers.
6. Put processes in place to ensure your organisation can meet the 72-hour notification period in the event of a breach.
Understanding whether your suppliers comply with the GDPR legislation, or are preparing to get policies and procedures in place for GDPR can help you show the regulator and your customers that your organisation is doing everything in its power to ensure your customers’ personal data is protected and, in the event of breach, you have measures in place to follow the correct procedure.
For more information on how to prove you and your suppliers are meeting GDPR legislation, check out our article here.