This cartoon depicts the challenges of complying with GDPR’s requirements for vendor management. Under the GDPR, there are serious responsibilities when using a vendor to process personal data. Broadly, there are three things that data controllers must do:
1. Data controllers must perform due diligence in selecting vendors and that are complaint with GDPR.
2. Data controllers must have a contract with their vendors that includes certain provisions to ensure that GDPR is being followed.
3. Data controllers must monitor vendors for compliance.
Vendors must also comply with the GDPR.
The GDPR has resulted in companies taking a closer look at their vendors and whether they are GDPR-compliant. Contracts with vendors must be revised. Although some vendors might claim that they are GDPR-complaint to procure or maintain a company’s business, some of these claims are dubious at best. The big challenge is that large companies can have dozens of vendors receiving personal data — often hundreds. Going back over all these vendors and their contracts can be a tremendously difficult and time-consuming task. It is very important for both data controllers and vendors to take their responsibilities under GDPR seriously. Failure to do so can lead to large fines.
For more on this issue, see my post, The Hidden Force That Will Drive GDPR Privacy Compliance.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and data security training. He also posts at his blog at LinkedIn, which has more than 1 million followers.