Skip to main content

GDPR: how do you evaluate your suppliers’ compliance?

Make IT Safe ·

Third-party risk: the practical TPRM guide

Map, qualify and steer your critical suppliers.Method, indicators and best practices.

Download the guide

The limits of GDPR clauses in tenders

Here we are. New tenders include GDPR annexes.

Extract from a recent tender annex:

“The contractor makes available to the [Data Controller] the documentation needed to demonstrate respect of all its obligations and to enable audits, including inspections, by [the Data Controller] or another auditor they have appointed, and contribute to these audits […]”

It also covers maintaining an up-to-date register, ensuring data confidentiality, having a Data Protection Officer (DPO), etc.

So the subcontractor commits contractually. Great. But is that enough?

To state the obvious: it’s the bare minimum since it simply means complying with the law. It also sets out a few principles for sharing responsibilities when authorities (CNIL) step in.

But limiting the approach to a contractual, purely declarative annex leaves you blind to where the subcontractor stands in their maturity and GDPR compliance. Yet a few hints could provide a first assessment.

Evaluating your suppliers’ GDPR maturity: where to start?

Beyond a simple contract clause, concretely evaluating subcontractors’ GDPR maturity matters. Sample questions to ask:

  • Do you have an autonomous DPO with the right professional qualifications?
  • Have you raised awareness among all employees handling personal data?
  • Do you host personal data outside the European Union? If in the United States, have you checked your provider is on the list of Privacy Shield companies?
  • Provide the B2B customer-relationship processing description.
  • Do you have a CISO or equivalent?

Each question should come with evidence. This gets close to what some companies do when evaluating partners’ cybersecurity compliance. Step by step, you build an appreciation of the subcontractor’s commitment to personal-data protection via a Compliance Assurance Plan, a cousin of the Supplier Security Assurance plan.

This clearly takes time, but tools exist to smooth the process. And, as this GDPR annex reminds, you need to “take into account, regarding its tools, products, applications or services, the principles of data protection by design and by default”. This Privacy by Design principle should become widespread; clients integrate the evaluation of future subcontractors’ practices from the consultation phase onwards, with procurement.

compliance checklist

Related articles

9 best practices to strengthen cybersecurity in your company

9 best practices to strengthen cybersecurity in your company

Read →
AI Act: who is concerned, by what, and how to comply

AI Act: who is concerned, by what, and how to comply

Read →
Cybersecurity risk assessment: how to identify, evaluate and control threats to your company

Cybersecurity risk assessment: how to identify, evaluate and control threats to your company

Read →