How to write a GDPR Questionnaire?
See our previous articles relating to GDPR Questionnaire and how to handle difficult requests.
So, you may have got everything ready for your organisation, documented procedure, updated privacy policies, trained staff, but,
you are also being responsible for compliance with any breach in your supply chain. Even large organisations will find that they have personal information transferred beyond their locations. Payroll bureaus, delivery agents. Legal advisors, software support, the list can get quite extensive when you think about it. Yet, how would you know that they treating the matter as seriously as you would expect? By know you would appreciate the amount of thought and effort getting your organisation over the line, how could you possible vouch for another business’s internal systems or even have any influence over them?
Ways in which you can verify a suppliers GDPR compliance?
Ultimately you can only conduct an exercise of due diligence for the supplier to either agree they are on the road to compliance and/or they provide evidence to that fact. You can do this in many ways:
- GDPR Questionnaire: this should not just be a tick box exercise, but an opportunity to ask some pertinent questions about their current progress towards compliance. Get them to describe in detail certain process’s. This could include the same sort of tasks that you would have gone through. Have they appointed a Data Protection Officer? what is their ICO number? where do they store your personal information? Have they verified their security, have they trained staff? Who provide this? At least if there is a data breach from their site, you will have a document that states “well you said you had done this”? that would limit your exposure as you have got on record that you have checked your supplier’s suitability.
- On-site Inspections: For more important or larger clients it may be appropriate to pay them an on-site visit. That way they can demonstrate exactly where they are at, and you can design a co-operative approach to solving joint issues. One UK service provider I had met at a conference told the story of how their US customer insisted on a 10-hour teleconference to investigate their IT security. Why the US? Because they don’t want the grief of dealing with European authorities and as data is now being distributed around the globe, there will be more international arrangements caught in the net of these EU rules.
The importance of using your data map to trace your suppliers responsibilities.
All this should be driven from your data map as the tracing of the audit trail highlight data journey and who is involved and why. Either way you as a data controller will be ultimately responsible for the information no matter where that data is held and you need to show due care for it in the process of day to day service delivery.
If you need our assistance in getting your organisation GDPR compliant, please see our introductory offer and Services page. Further information is available in our FAQ section. and useful tools in downloads.
For those wishing to investigate these possibilities, please contact us directly regarding our on-site scanning service and contact/document management systems.