Network Trace
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

01) Does your organisation have formal agreements in place to control third party use of personal data, including any requirements stipulated by relevant data protection legislation?

August 30, 2022
Supply Chain Management
Formal Contracts

Answer yes if your organisation ensures that all third parties with access to client data have a formal agreement in place that covers all of the requirements of the relevant data protection regulations (e.g. GDPR, Australian Privacy Act, US State Law).

A formal agreement with your suppliers is an important control in managing the Client/Supplier relationship. An agreement ensures that both parties are aligned on the service being procured, the success criteria of the service, and key supporting controls such as how the service will be secured and the supplier’s responsibilities with regards to security and compliance (this should also include a clause around audit rights).

If the service being provided by the supplier involves the transfer of data that contains personal data, it is important to include data protection clauses that define the controller/processor relationship.

An agreement should typically cover the following:

  • Deliverables to be provided by the supplier and the associated cost to be paid by the Client;
  • The responsibilities of both parties on the delivery of the service;
  • Performance criteria and review process to ensure the supplier is delivering the service to the required standard;
  • Contractual terms and conditions that include liabilities under the contract, security and compliance requirements that the Client requires the supplier comply with (including audit rights), and key regulatory compliance clauses (such as those required by data protection regulations).

It is usually wise to have a lawyer look over your standard/template supplier contract to ensure it is fit for purpose. We also recommend that when procuring a supplier under the supplier’s template contract or terms and conditions that a legal review takes place to ensure there are no gaps.

How to implement the control

Risk Ledger recommends that you use a Solicitor to develop your template supplier contracts and to provide input into each contract negotiation that takes place with your suppliers. It is also important that when using a Supplier's template contract (or terms and conditions) that a legal review is conducted to make sure there are no gaps.

The ICO has published a guide on GDPR requirements within supplier contracts that can be found here.

If you would like to contribute to this article or provide feedback, please email Contributors will be recognised on our contributors page.

Pattern Trapezoid Mesh

Defend against supply chain attacks with Defend-As-One.

No organisation is an island.