Working with your suppliers towards GDPR compliance

The General Data Protection Regulation (GDPR) comes into effect on May 25, 2018 and organizations (large and small) are currently preparing for the new regime. As an evolution of the current data protection legal framework, the GDPR will also apply with extraterritorial effect to organizations based outside the EU that offer goods and services to, or monitor individuals in, the EU.

Data accountability

The GDPR places increased focus on the principle of accountability, which requires organizations that process data to demonstrate compliance with the core principles of data protection—from lawfulness, fairness, and transparency to data minimization. However, accountability doesn’t stop at data flows within your organization. Given how data often moves to and between other companies you work with, from payroll providers to cloud productivity services, your relationship with suppliers is also a critical factor in your compliance journey.

Same fundamental principles—higher bar

The GDPR builds upon the current legal framework, including the existing EU Data Protection Directive, but imposes a more prescriptive data protection regime than under the current law. This includes the area of processing arrangements. The GDPR retains many of the basic concepts and principles from the current law, such as the roles of controllers and processors. Controllers are defined as those responsible for determining the purposes and means of the processing of personal data, while processors are organizations who may be engaged by a controller to process personal data on their behalf, such as an agent or supplier.

While the GDPR should not create a completely new relationship between your organization as the controller and your suppliers as the processors, it will place greater emphasis on the role of processors by directly regulating their actions for the first time. As it stands, the existing directive generally regulates controllers and not processors.

Focus on security

The GDPR obliges controllers to use appropriate security standards and to choose processors who implement technical and organizational measures that meet its requirements. This is a broader obligation than under the current directive and therefore controllers should carefully select a processor that can help their GDPR compliance strategy. In some cases, suppliers may also be a critical resource in helping your own business prepare and may have tools in place to assist you in your compliance journey. The GDPR will impact on every aspect of the processing relationship. This begins from the moment you’re selecting a processor, proceeds to the content you must include in the processing contract and continues through to the end of that arrangement and how data is dealt with at this stage.

Supplier checklist

Under the GDPR, there are certain specific obligations that you, as the controller, should be confident that your supplier is complying with. These include maintaining adequate documentation (Article 30), cooperating with national supervisory authorities (Article 31), implementing appropriate security standards (Article 32), conducting data protection impact assessments (Article 35), appointing a data protection officer (Article 37), and complying with the provisions on international data transfers (Chapter V). Further enhanced obligations under Article 28 require a written data processing agreement to be put in place between you and your supplier.

Supply chain assessment

The process for checking the health of a controller-supplier relationship is broadly two-fold. Firstly, supply chains will need to be assessed to determine current compliance with GDPR. Secondly, in many cases contracts may need to be reviewed to ensure they meet the requirements of GDPR. Organizations should be taking action now to ensure that any arrangements which will still be in force after May 25, 2018 comply with the new provisions. This includes both new arrangements, when selecting and contracting with new suppliers, and existing engagements, where sufficient time must be scheduled if it is necessary to renegotiate existing terms.

Ongoing compliance

Of course, GDPR compliance across your organization does not begin or end with the relationship with your supplier–it means thinking more broadly about how data moves around and is protected in your organization. Even so, suppliers should be an important partner on your road to GDPR compliance.


Dyann Heward-Mills is the Head of the Data Protection and Cyber Security Practice Group in Baker McKenzie’s London office.