GDPR information for our suppliers and contractors

GDPR information for our suppliers and contractors

Businesses and organisations who provide services to other businesses and organisations under contract now have direct obligations under GDPR.

General Data Protection Regulation (GDPR) and the impact on businesses

Organisations have an obligation for better data management and a new regime of fines will be introduced for use when an organisation is found to be in breach of the GDPR.

Businesses and organisations who provide services to other businesses and organisations under contract (called 'Processors' under GDPR) now have direct obligations under GDPR.

As organisations and businesses prepare for GDPR to come into force, they need to understand within their supply chain or associated companies if they are prepared for the regulation. A supplier will be subject to GDPR if they are a data controller or data processor, and have access to personal data information on an EEA/EU citizen. As part of due diligence, customers will want to verify with their suppliers whether they are ready for GDPR.

The Information Commissioner's Office (ICO) has lots of information about GDPR, what it means, and what steps need to be taken to prepare for the rules:

Processor obligations under the General Data Protection Regulation (GDPR)

In addition to contractual obligations set out in GDPR, a processor has the following direct responsibilities under the GDPR. The processor must:

  • only act on the written instructions of the controller
  • not use a sub-processor without the prior written authorisation of the controller
  • cooperate with supervisory authorities (such as the ICO)
  • ensure the security of its processing
  • keep records of its processing activities
  • notify any personal data breaches to the controller
  • employ a data protection officer if required
  • appoint (in writing) a representative within the European Union if required

A processor should also be aware that:

  • it may be subject to investigative and corrective powers of supervisory authorities (such as the Information Commissioner's Office (ICO))
  • if it fails to meet its obligations, it may be subject to an administrative fine
  • if it fails to meet its GDPR obligations it may be subject to a penalty
  • if it fails to meet its GDPR obligations it may have to pay compensation

Data breach in a business

If a supplier experiences a data breach, when data has been compromised in some way (for example disclosed to the wrong individual, lost, mislaid, deleted in error), they need to report it to the Council as soon as possible and will need to investigate what has led to the breach and what action now needs to be taken to mitigate or contain the impact of the breach. The Council has a data breach form that can help with the assessment.

Should a data breach occur that is likely to result in a risk to individuals' rights and freedoms, there will be a direct obligation under the GDPR to inform the Information Commissioners Office within 72 hours of the breach taking place. Processors can now be directly penalised for data breaches and receive fines for non-compliance.
 

Was this page useful?