5 steps to GDPR-compliant vendor due diligence 

In this blog, we explain the difference between the roles of data controllers and processors and delve into the vendor due diligence process, providing North American organisations with essential steps to maintain GDPR compliance. 

You’ll learn how to: 

• Review the vendor’s data handling practices 
• Assess policies and procedures 
• Evaluate technical security measures 
• Review international data transfer controls and processes 
• Mitigate risks & finalise the Data Processor Agreement (DPA) 

Overview

According to a report by technavio, the global outsourcing market is expected to grow by $88.8 billion between 2024 and 2029, with a compound annual growth rate of 6.8%. 

Outsourcing specific processes, or even entire business functions, can enhance efficiency and allow companies to focus on their core strengths. However, when you have vendors handling personal data, it’s critical to understand the associated data protection responsibilities of both parties. 

Under the General Data Protection Regulation (GDPR), vendors include any third parties, partners, or suppliers with access to personal data – not just traditional service providers. 

Organizations are legally required to safeguard personal data, and failure to do so can result in fines and reputational harm. Ensuring that your vendors also meet GDPR obligations is a key part of maintaining compliance. 

Understanding GDPR roles: Controller vs processor 

The GDPR distinguishes between a data ‘controller’ and a ‘processor’ to clarify their respective roles and responsibilities in managing personal data. 

• A ‘controller’ decides how and why personal data is collected and processed 
• A ‘processor’ handles personal data on behalf of the controller, following on their instructions 

Data controllers hold the highest level of compliance responsibility, even if a third-party vendor is handling the day-to-day processing.  

Data processors have some direct legal obligations, including notifying the controller of any data breach, implementing appropriate data security measures, and keeping a record of data processing activities.  

Let’s look at a real-world example: 

A North American healthcare provider (controller) collects patient data from individuals in the EU to provide medical services. The data is stored and managed on a third-party cloud storage platform (provider) and includes information such as names, addresses, and medical histories.  

In this example, the healthcare provider must ensure any personal data is processed in strict accordance with the GDPR. This includes providing clear privacy notices, establishing an appropriate lawful basis, and safeguarding the security of the data, including any onward transfers of personal data outside the EU.  

Before using the third-party cloud storage platform, the healthcare provider must: 

• Ensure the vendor’s data protection practices meet GDPR standards 
• Identify and mitigate any risks before sharing personal data 
• Implement clear contracts that outline roles, responsibilities, and security requirements 

Once onboarded, the cloud storage platform must follow the healthcare company’s instructions and maintain robust safeguards. If a data breach occurs, the cloud storage provider is expected to notify the healthcare company without undue delay – ideally within 48 hours, though this should be determined in each contract.  

Reminder: Under the GDPR, controllers have up to 72 hours after becoming aware of a personal data breach to report it to the relevant regulatory authority. If the breach poses a high risk to individuals, they must also be informed directly.  

5 essential steps for effective due diligence

A best practice due diligence process typically starts with a questionnaire and follows these 5 key steps:  

Step 1: Review the vendor’s data handling practices

A due diligence questionnaire should request the vendor’s privacy policy and any voluntary or mandatory risk assessment documents, such as Data Protection Impact Assessments (DPIAs), relating to the services offered.  

Key details to establish: 

• How personal data will be collected 
• Where it will be stored 
• Who will have access to the data 
• Use of sub-processors, including their data handling practices (sub-processors are third parties engaged by the vendor who may access the personal data) 
• What the retention periods are (the GDPR requires data to be kept no longer than necessary) 
• If they have any certifications, such as Cyber Essentials Plus, ISO9001, or ISO27001/27701, which demonstrate a commitment to strong data protection practices across the organization 

Step 2: Assess policies and procedures

The next step is to evaluate the vendor’s data protection policies and procedures to ensure they align with GDPR requirements.  

These should include at least: 

• Privacy policy and privacy notice 
• Data breach response procedure 
• Data Subject Access Request (DSAR) procedure 
• Data sharing processes 
• Employee data protection training programs 

The vendor needs to demonstrate that appropriate controls are in place for data processing, including any sub-processors they may use, and that these controls are regularly audited and maintained.  

Step 3: Evaluate technical security measures

Ensure the vendor has robust technical safeguards to protect personal data from unauthorized access, alternation, disclosure, or destruction.  

These measures may include: 

• Encryption: Converts data into a code to prevent unauthorized access 
• Access controls: Authenticates users and restricts access to systems and data 
• Firewalls: Monitors and controls incoming and outgoing network traffic based on predetermined security rules 
• Intrusion detection systems (IDS): Detects malicious activity within the network 
• Security incident and event management (SIEM) systems: Analyses security alerts generated by applications and network hardware in real time 
• Regular security audits: Systemic evaluations of IT systems to measure how well they conform to a set of established criteria  

Step 4: Review international data transfer controls and processes 

If personal data is stored or processed outside the EEA and/or UK, the vendor must demonstrate that a valid international transfer mechanism is in place.  

Your contract should require the vendor to implement appropriate safeguards for both their own transfers and any onward transfer by sub-processors. This often involves using Standard Contractual Clauses (SCCs) or another GDPR-approved mechanism.  

If the data is considered high risk, a supporting DPIA should also be provided.  

International Data Transfers: Explaining EU SCCs, UK Addendum and UK IDTA | DPO Centre

Step 5: Mitigate risks & finalise the Data Processor Agreement (DPA) 

If any risks have been identified during the due diligence process, the vendor needs to resolve them before moving forward. For example, if the vendor lacks intrusion alerts, they should implement system monitoring and provide evidence.  

The final step is to draft a Data Processing Agreement (DPA), which should include: 

• General information – Purpose, duration, data categories, and GDPR responsibilities of both parties 
• Security measures – Technical and organizational safeguards required of the processor 
• Sub-processors – Whether sub-processing is allowed and under what conditions 
• Breach notifications – Requirement to notify the controller without undue delay in the event of a breach 
• Audits and inspections – Controller’s should secure the right to verify compliance through audits 
• End-of-contract provisions – Instructions on returning or deleting data at contract termination 
• Liabilities and indemnities – controllers should require processors to indemnify them against all costs, claims, damages, and expenses incurred because of their actions. Controllers typically seek unlimited liability, while processors should negotiate a cap. 

For a template DPA download our GDPR Policy Toolkit 

Summary

Conducting vendor due diligence is essential for identifying and mitigating risk and ensuring GDPR compliance. It provides an opportunity to evaluate a vendor’s operational procedures data protection practices before entering into a contract.  

An effective due diligence process should include a questionnaire covering five key areas: data handling practices, policies and procedures, technical security measures, international data transfers, and risk mitigation prior to drafting a Data Processing Agreement (DPA). 

These steps also apply to existing suppliers or outsourced services. However, given the number of suppliers most organizations work with, it’s often more practical to start with a pre-qualification risk assessment. This helps prioritize which vendors require further review based on factors like GDPR applicability, risk level, and the type of data processed. 

____________________________________________________________________________________________________________

The DPO Centre has extensive experience helping North American organizations meet their GDPR obligations when working with third-party vendors. Contact us today for expert support with your vendor due diligence processes. 

____________________________________________________________________________________________________________

In case you missed it… 

• Lead generation and the GDPR: A guide for North American businesses 
• Data retention strategies for GDPR compliance
• How GDPR territorial scope impacts North American businesses

____________________________________________________________________________________________________________

For more news and insights about data protection follow The DPO Centre on LinkedIn