How to handle GDPR questionnaires for compliance?
By now you should have received a few GDPR questionnaire requests from your existing suppliers and customers regarding what you are doing about the
upcoming GDPR regulations. Some of these may seem quite heavy handed as they are being incorporated into current engagement contracts. Future tenders may be reliant on providing proof that your organisation is GDPR compliant. This will also affect business relationships outside the EU as your whole supply chain will need to be committed the same standard.
Why are we getting these GDPR questionnaires?
Most of this should be straight forward as they would need to know that the executive is in support of the process, that you have reviewed your procedures, implemented technical improvements and trained your staff. The purposes are for all data processors in a supply chain to be up to speed so that in the event of data breach that the controller has done their due diligence. So, when the blame game starts the controller can say well at least I checked. That gives some sort of assurance that their processors have done their job. Yes, it is about protecting people’s backs, but it does make sure that everyone is on the same page when data is transferred beyond the organisation.
Honesty is the best policy…but with some tweaking.
When you receive one, it’s best to give an honest opinion about where you are at on the GDPR process. If I had received back a completed questionnaire, saying everything rosy I would be suspicious mainly because I know that my organisation hasn’t got everything in order. What people want to see is that you are taking the issue seriously. If there is an area that is “in progress” then give timelines so they have confidence that there is movement in the right direction. If you had a data breach from an area that had been signed off, then there would not only break trust with your customer, but also raise the ire of the ICO. There is a way of answering questions without giving too much detail. Make answers straightforward without getting caught in continual requests for “further explanation”.
Next in the series “How to handle difficult supplier GDPR questions.”
Next training session will be on the 23rd of May from 4pm see previous article.
For those wishing to investigate these possibilities, please contact us directly regarding our on-site scanning service and contact/document management systems.