Tackling the supply chain

The supply chain turns the cogs for most businesses. From outsourced payroll or marketing services, to medical insurance providers and even the company that waters the office plants – the supply chain is a jigsaw that is often larger than first anticipated. It comes as no surprise, therefore, that it will be one of the most scrutinised areas under GDPR due to the sheer volume of data processed as part of it.

In preparation, companies need to know exactly what their supply chain looks like by taking a risk-based audit, with efforts focused where it matters most form a privacy perspective. This is something that is much easier said than done, however, there are some simple steps that businesses can take in order to comply.

What, where and why

First and foremost, it is important to map precisely where data you’re responsible for lies throughout the supply chain. Once this is established, you’ll need to control what your new, existing and previous suppliers are doing with the personal data shared with them:

  • New suppliers should be brought on board with a contract outlining precisely what data will be shared, what it can be used for and what will happen to it at the end of the contract. The agreement will also need to define a meaningful retention period for holding on to data following the end of the contract, and how the data will be destroyed and/or returned at the end of this period.
  • Existing suppliers contracts also need updating to reflect these precautions, while carrying out a full review of their current distributed data will ensure they only have access to the information they need.
  • Previous suppliers can be trickier to handle. Where they are known to have collected and processed personal data, the suppliers should be reviewed to identify areas of high risk that need to be addressed.

Carrying out these measures will protect customers from unlawful uses of their personal information. For example, a marketing company coordinating email campaigns would only have access to information relevant for that purpose – that means no date of birth or bank details – and would not lawfully be able to add customers to other distribution lists.


Any actual or suspected data breaches, whether large or small, must be recorded or tracked in a breach log. As a minimum, reporting on exactly when a breach took place, how it happened, the decision that was made in response and who signed off this decision, will prove a business is at least attempting to comply. Since the general consensus of GDPR is ‘the more, the better’, those wishing to demonstrate intent beyond mere compliance should link the recorded breach to any steps taken to prevent further breaches.

For ensuring full transparency of any potential breaches to data you are responsible for, it’s highly advised that contracts developed with suppliers should agree access to their own breach logs. This also provides opportunity to monitor for vulnerabilities and flag when a supplier’s cyber security might not be up to scratch – any alarming activity will provide a warning sign to change suppliers and can help avoid falling victim to a severe cyber attack.

Beyond the EU

When collecting data, businesses will be required to disclose what it is being used for, as well as how it will be processed, shared and stored. Due to the extent of most supply chains, it’s also highly likely that somewhere along the line, data may be shared or stored outside the EU.

Even if a supplier is not UK-based, they will need to comply with the same regulations if they hold any personal data relating to people in the EU. But the onus is on the business responsible for the data to ensure that any contracted suppliers meet these standards.

No excuse

As the months are drawing ever closer to GDPR, businesses need to ensure they are making significant steps towards securing the supply chain.

The main objective for any business should be to improve their security defences and ensure all sensitive data is safeguarded. Although the initial task can be overwhelming, approaching GDPR with a structured, risk-based approach is the best way forward.


By Stephen Bailey, associate director at NCC Group

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/