01) Does your organisation have formal agreements in place to control third party use of data that include GDPR requirements?
Supply Chain Management Formal Contracts GDPR
Written by Haydn Brooks
Created on March 18, 2019
Modified on September 19, 2019

Answer yes if your organisation ensures that all third parties with access to client data have a formal agreement in place that covers all of the relevant requirements of GDPR.

A formal agreement with your suppliers is an important control in managing the Client/Supplier relationship. An agreement ensures that both parties are aligned on the service being procured, the success criteria of the service, and key supporting controls such as how the service will be secured and the supplier’s responsibilities with regards to security and compliance (this should also include a clause around audit rights).

If the service being provided by the supplier involves the transfer of data that contains personal data, it is important to include GDPR clauses that define the controller/processor relationship.

An agreement should typically cover the following:

  • Deliverables to be provided by the supplier and the associated cost to be paid by the Client;
  • The responsibilities of both parties on the delivery of the service;
  • Performance criteria and review process to ensure the supplier is delivering the service to the required standard;
  • Contractual terms and conditions that include liabilities under the contract, security and compliance requirements that the Client requires the supplier comply with (including audit rights), and key regulatory compliance clauses (such as those required by GDPR).

It is usually wise to have a lawyer look over your standard/template supplier contract to ensure it is fit for purpose. We also recommend that when procuring a supplier under the supplier’s template contract or terms and conditions that a legal review takes place to ensure there are no gaps.

How to implement the control:
Risk Ledger recommends that you use a Solicitor to develop your template supplier contracts and to provide input into each contract negotiation that takes place with your suppliers. It is also important that when using a Supplier's template contract (or terms and conditions) that a legal review is conducted to make sure there are no gaps. The ICO has published a guide on GDPR requirements within supplier contracts that can be found [here](https://ico.org.uk/media/about-the-ico/consultations/2014789/draft-gdpr-contracts-guidance-v1-for-consultation-september-2017.pdf).

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.