Get Free Downloads
Start your GDPR today in just a few clicks
Get Free Downloads
Start your GDPR today in just a few clicks

Are your data processors GDPR compliant?

Tagged with gdprhelp, freegdpr, downloads, gdprsupplier, gpdrcompliance, thirdparty, compliance, duediligence, freeadvice, suppliercontracts
by Adam Brogden
in Blog

19-Nov-2018 12:41

So, you’ve completed your GDPR audit, gone through your GDPR compliance processes, updated your website, upgraded your IT, trained your staff, and re-issued your contracts. You then find out that your key suppliers are not GDPR compliant. What do you do?

This is a tricky question and one that we have come across very often. GDPR doesn’t tell you how to do GDPR. There is no easy to understand guide or definitive checklist that tells you when you’ve finished. Same applies for your suppliers and data processors. GDPR says that YOU have to confirm that your supplier is GDPR compliant before you share data with them! You have to ensure that you have a legally binding contract that clears sets out their responsibilities and has appropriate legal protection in place in case they mess up! But what do you do if your supplier is just not interested? Just refuses to respond to your requests or gives you vague answers.

This might seem like an easy question. If your data processor is not compliant then find one that is. However, this is never quite as easy as it might seem. Your supplier might claim they are compliant, but you know they aren’t. You might have limited choices so get stuck with a supplier you can’t afford to lose. You might just be too busy to go through the pain of switching. So, what do you do?? Here are a few steps you should take:

  1. Send an email and ask them to confirm that they are GDPR compliant

  2. Send them a GDPR contract from one our Optindigo pack. Make sure you include schedule A from the Supplier Processing agreement in order to clearly define the relationship and their responsibilities, even if they choose not to reply!

  3. Send them the GDPR Questionnaire in your Optindigo pack. This is pretty comprehensive and defines all sorts of things they need to do.

  4. There is a good chance they will ignore the Questionnaire in ‘3’ above, so try the GDPR Checklist. This is also in your pack. It’s not quite as comprehensive as the questionnaire but still a good way to confirm that they are compliant

  5. Ask for copies of their key documents: Privacy Statement; SAR document, and Information Security Policy. These are pretty vital documents so if they don’t have these you can be pretty sure that they are not GDPR compliant.

  6. Threaten to visit to audit their GDPR processes. This might scare them into doing something!

If all else fails you need to decide whether to continue using them as a processor or find someone else. You need to balance the risk of a potential breach with the potential damage that could result. Are you really willing to take that risk?

Call us anytime if you would like to discuss.

Good luck all.