This cartoon depicts the challenges of complying with GDPR’s requirements for vendor management. Under the GDPR, there are serious responsibilities when using a vendor to process personal data. Broadly, there are three things that data controllers must do:
1. Data controllers must perform due diligence in selecting vendors and that are complaint with GDPR.
2. Data controllers must have a contract with their vendors that includes certain provisions to ensure that GDPR is being followed.
3. Data controllers must monitor vendors for compliance.
Vendors must also comply with the GDPR.