Supply Chain GDPR

Ensure your third party suppliers are compliant

Do you think you’re GDPR compliant? If your suppliers aren’t, you aren’t!

If your business relies on third-party suppliers to operate, it is your responsibility to ensure their processing activities satisfy the demands of the GDPR.

Should one of your suppliers suffer a breach involving your personal data, if the appropriate due diligence has not been completed, as the data controller, you will be liable and subject to any monetary penalties or processing restrictions imposed by the ICO.

Much of our work at PRIVACYHELPER involves educating firms on the risks of not conducting the required due diligence on suppliers before engaging with them.  Although the supplier claims they are “GDPR compliant”, very often they are not and many fail to satisfy our stringent due diligence process.

Why are you responsible?

As the data controller, the GDPR states that you assume liability for the processing activities within your business, including your external suppliers – known as processors – and any suppliers they may engage with – your subprocessors.

If your suppliers engage with sub-processors to process your personal data, then the GDPR states they must gain your permission in writing – and provide details of their due diligence process.  Have yours done this? If not, we can act on your behalf and ask them the right questions.

If either your processor or subprocessor breaches your personal data and fail to notify you, then the regulator will hold you accountable. Both the supplier company and you would likely have financial penalties imposed.

Our approach

We offer a 3 stage process to firms who engage with us to ensure their supply chain can demonstrate compliance. These cover operational and organisational compliance, technical and legal compliance, a summary of their wider processing activities.

Stage 1

Working with you, our privacy specialists will create a list of the top 10 suppliers, or top 10% of suppliers (depending on your business size) who are most critical to the business operation or have access to the most sensitive data in relation to the nature of your business.  Based on the types of data processed, our team will help you to identify your priority suppliers.

 Stage 2

Our team will send a due diligence questionnaire to the supplier, asking them to demonstrate their compliance in multiple areas:

  • Organisational – including insurance policies held, the data protection and governance framework for the business, and staff training programmes.
  • Processing – the data protection and data governance framework around the processing activities of the supplier in relation to their wider client base.
  • Technical – details of their technical certifications, security policies and procedures.

Based on the ability and nature of the response to this due diligence document, our specialists will make recommendations to you as to the suitability of the supplier in line with the demands of the GDPR.

In our experience, most businesses are unable to answer all questions on the document, however, based on the questions they do answer, we can advise you as to the risks this poses to your business in the event you engage with them.  You can then make an informed business decision as to the next move.

This should be considered a critical element to your supplier onboarding process as their responses will help both of us understand how seriously they have approached their privacy obligations – and how easily they can demonstrate these.

Stage 3

Any organisations you share data with should have a Data Sharing Agreement, or a Data Processing Agreement in place with you. This contract contains specific privacy clauses such as:

  • Confirming the respective roles and obligations – data controller/data processor.
  • How the personal data they process for you should be transferred (internally and externally).
  • What technical and security measures the supplier should ensure are in place for the storage of personal data?
  • How the supplier is required to demonstrate compliance.
  • The obligations of the supplier to react in the event of a breach involving your personal data – timescales, etc.
  • The support you can reasonably expect the supplier to offer in the event of an investigation of a data breach.

Although you are likely to have an agreement or contract in place with your suppliers, in our experience, it is unlike to include sufficient privacy clauses.

Using the information from the due diligence document, our specialist data protection legal advisers will draft an addendum to ensure you are covered in the event of a breach by your supplier.

This means your supplier will be contractually obliged to comply with the GDPR in line with your expectations as the data controller.  In the event of a breach, they must also provide all reasonable support to ensure you are able to meet your 72-hour deadline set by the ICO.

While reviewing these documents, we can also include the appropriate safeguards and legal mechanisms are in place in the event of cross-border data flows.

Should the supplier fail to maintain their compliance, or their processing activities do not reflect the clauses of their data processing contract they have with you, this becomes a breach of contract – which you, as the data controller, are protected against.

In our work, we have come across supplier companies whose service is a perfect fit for the business we are engaged with, however, their privacy considerations are a huge concern – and your business will be taking on this risk.

You also need to consider if your business insurance would cover you in the event of a data protection incident with you knowing your preferred supplier wasn’t compliant.

By engaging with our specialists and conducting detailed due diligence on your suppliers, we will help you identify the greatest unknown privacy risks to your business – significant fines have already been imposed by European regulators and our experts could save you from similar action from the ICO.

By engaging with us we can massively reduce the potential risk to your business posed by non-compliant suppliers – and in many cases, working with those suppliers to ensure your privacy concerns are met and the business relationship continues.

What to do next

If you’re in any way concerned about the risk borne from your supply chain – or just a specific supplier that may have been investigated by the ICO on another matter, then call us today.

Simply tell us a bit about the nature of your business, their role in your operation and the type of personal data they process and we will quickly outline the potential risk to your organisation.

If you need our help, then we’ll send a proposal of engagement over and can begin work once this is signed off. Your privacy concerns are our privacy concerns and we’ll do all we can, as quickly as we can to address this.


As with our ethos, our pricing structure is simple, straightforward and highly competitive – we offer fixed-price options.

Audit Only

For companies that will action the output of the Gap Analysis themselves or via a third-party

£175 per hour

(Budget 3 hours per Department/Work Area)

No contract commitment
Single fixed price

  • Basic Gap Analysis (consulting hours based on the number of departments/work areas in the organisation)
  • Initial Discovery Phase
  • Delivery of Executive Summary & RAG Report
  • Report contains both “Quick Wins” and “Long-Term Tasks”

Audit plus Action

For companies that need Outsourced DPO and long-term gap-closure support

£150 per hour

(Budget 3 hours per Department/Work Area)

Leads to a GDPR Action & Outsourced DPO plan
Single fixed price

  • Gap Analysis (consulting hours based on the number of departments/work areas in the organisation)
  • Initial Discovery Phase
  • Delivery of Executive Summary & RAG Report
  • Report contains both “Quick Wins” and “Long-Term Tasks”


When on-site, our working day is 9am – 5pm. For site visits, reasonable subsistence expenses are charged, however these are all agreed by you in advance. On large-scale projects, where our Global Privacy Consultants are engaged, fees are £250 per hour.

Our hourly rates mean you only pay for EXACTLY the time we need for the task – our hours are recorded on timesheets, so we are fully accountable for time vs tasks!

At PRIVACYHELPER, we pride ourselves on tailoring packages to suit your business – your needs and your budget. That is why we don’t offer pre-packaged services that your business has to try and fit into.

Once we have conducted the data discovery phase, or reviewed your existing GAP analysis documents, we’ll propose a set number of days per month – based on the size of the business, the challenges you face and the amount of guidance you’ll need from us.

This resourcing model is perfect for most companies, as it offers you the flexibility to use our time intensively when the need arises, but to keep time to a minimum at other times. You remain in complete control of your budgets!

Why choose us?

Click here to find out why we are the UK’s #1 privacy consultancy.

How much will this cost?

Our pricing structure is simple, straightforward and highly competitive. Head over to our pricing page and take a look at our most popular packages.

What next?

Get in touch via our contact us page, tell us about your business and a member of our team will get back to you.

Other services you may be interested in from PRIVACYHELPER

Security Icon

GDPR Consultancy

Our Privacy Team consists of expert data protection consultants in the fields of IT & Technical, Legal, Records Management and Marketing.

GDPR Training Courses

An effective, demonstrable training programme can be the difference between the ICO imposing monetary fines – or not, even if your data privacy programme has just started.


Is your marketing activity legal? We can make sure it is.