Aug 11, 2020 | GDPR

GDPR Supply Chain Audit

Howard Freeman

Howard Freeman


Consider the way in which your business operates. Could it operate without suppliers? This will include any other business you deal with, from an outsourced payroll company, to a medical insurance provider and even the company that waters plants in the office. The supply chain is key to any business, and when GDPR arrived it became one of the most scrutinised areas. This was due to the huge volume of data processed within it. This is why a GDPR supply chain audit is vital for you to remain compliant.

GDPR Supply Chain Audit
The supply chain is key to any business, and when GDPR arrived it became one of the most scrutinised areas.

Audit Preparation

Businesses must know exactly what their supply chain looks like. To do this, they must carry out a full audit of their supply chain to ensure data is being used and protected correctly. However, this is easier said than done. The approach should be risk based, focusing effort where it matters most from a privacy perspective. Where suppliers are known to have collected and processed personal data these should all be reviewed. Your business must identify areas of high risk and address them.

There are, of course, some simple steps that businesses can take in order to comply.

The Process

Firstly, it is important to map precisely where data you’re responsible for sits in the supply chain. Once this is established, you’ll need to control what your suppliers are doing with the personal data shared with them.

For new suppliers, the contract must outline precisely what data will be shared, what it can be used for, how long it can be kept and what will happen to it at the end of the contract. For existing suppliers, contracts should be updated to reflect this following a full review of the current distributed data to ensure they only have access to appropriate information.

Once the appropriate data has been established, stating within the contract the way in which this data can be used will protect customers from unlawful uses of their personal information.

Contracts must also define a meaningful retention period for a supplier to keep hold of data following the end of a contract, detailing how the data will be destroyed and/or returned at the end of this period.

Be Transparent

Another principle of the GDPR is transparency, and again, achieving this throughout the supply chain is no easy task. The contract is, once again, central to ensuring this happens in practice.

GDPR mandates that every business needs a data breach log. Whether a near miss or the real thing and no matter what the size of the breach, must be recorded and tracked. This should report exactly when a breach took place, how it happened and what happened next. To demonstrate intent beyond mere compliance, companies should link the recorded breach to the steps taken to prevent further breaches.

When developing contracts with suppliers, your Data Processing Agreement should demand access to their breach log. You must have full visibility of any threats to personal data that you are responsible for.

Transfers across Borders

As data is collected, businesses will be required to disclose their legal basis for processing. Also, they will need to state where it will be shared and where it will be stored. It’s highly likely that somewhere along the supply chain your data may be shared or stored outside the EU. This is now a serious matter with invalidation of the EU-US privacy shield.

The dangers of having a lax supply chain come in the form of major data breaches, reputational damage and potentially devastating fines. Organisations should all be going above and beyond to avoid these consequences. Businesses must adhere to the GDPR and work to improve their security posture. You must protect sensitive data from harm. Although it can be a daunting prospect, becoming compliant with the GDPR is easily simplified when approached in a structured, risk based way.

Help is at Hand

A GDPR supply chain audit us hard and difficult. There are many relationships to consider and where you sit in value o importance to your supplier. It can mean having to consider changing suppliers if compliance has not been achieved.

We are here to help. we have carried over 200 such audits (as at August 2020) and have helped businesses like yours overcome the obstacles involved and achieve compliance.

You can contact us here, book a call or appointment here. Alternatively you can pick up the phone and talk us (we love to listen) on 03333 22 1011.


Can we help?