Our GDPR Vetting Service.
All UK companies and especially public authorities must ensure that the companies and suppliers that
they work and do business with are GDPR complaint. Many UK companies that hold data fail to do this
and they risk ICO fines, civil litigation and suspension of business.
We provide an GDPR inspection service so that the companies and individuals can check that the
companies and suppliers that they work and do business with ARE GDPR complaint and will not pose a
data breach risk.
Failure to adequately vet the companies and suppliers that they work and do business for GDPR
compliance can result in fines of up to £17.5 million or 4% of total annual worldwide turnover, whichever
is higher. This can also result in civil litigation from clients who’s data has been lost and in the case of
Public Authorities suspension of business by the ICO.
We can perform this service for you.
1.
We ensure due Diligence Before Engaging Suppliers.
2. Request Documentation:
We review their privacy policies, data protection policies, and breach response procedures.
3. Evaluate Security:
We assess their technical security measures (e.g., encryption, access controls, firewall, ISO 27001 or
Cyber Essentials certification).
4. Map Data Flows:
We identify exactly what data is being shared, where it will be stored, and who will have access to it.
5. Mandatory Contractual Terms (Article 28)
We ensure that they have a legally binding contract (Data Processing Agreement) in place that explicitly
covers the requirements of Article 28 of the UK GDPR.
The contract must state that the processor:
Only acts on your documented instructions.
Ensures staff accessing the data are committed to confidentiality.
Implements appropriate security measures.
Does not use sub-processors without your prior written authorization.
Assists you in complying with data subject rights (access, deletion, etc.).
Assists you in meeting your data breach notification obligations.
Deletes or returns all data at the end of the contract.
6. Ongoing Monitoring and Auditing
GDPR compliance is not a "one-off" task. You have a duty to continue checking a processor’s compliance
throughout the duration of the contract.
7. Regular Audits:
Perform periodic reviews of their security practices and data handling policies.
8. Review Sub-processors:
If the supplier uses other, lower-level suppliers (sub-processors), you must ensure the same level of data
protection is imposed on them.
9. Monitor Data Transfers:
Check if data is being transferred outside the UK/EEA and ensure appropriate safeguards (e.g., Standard
Contractual Clauses) are in place.
10. Risk-Based Approach
You should prioritize your due diligence efforts based on the level of risk the vendor poses.
11. High-Risk Vendors:
Suppliers handling sensitive data, large volumes of data, or having system access require more in-depth,
frequent audits.
12. Low-Risk Vendors:
Simple, one-off, or non-data-sensitive contracts may require less intense vetting.
We also ensure:
Under the GDPR principle of Accountability, you must maintain records of your supplier assessments,
the contracts, and any audits conducted to prove you have taken proactive steps to ensure compliance.
We perform research on behalf of companies and individuals to ensure that they comply with the UK
General Data Protection Act of 2018 by checking that their suppliers and business contacts are GDPR
compliant.
We check that their Independent Data Protection Officers (DPO) are properly registered with the
Information Commissioners (ICO) . This performed by checking the official ICO data base of independent
Data Protection Officers.
https://ico.org.uk/ESDWebPages/Search
We examine the website of the company to ensure that the correct consent caveats are there. That the
correct cookie permissions are installed and that the companies privacy policy is correct.
We can issue Data Subject Access Request (DSAR) on behalf of our clients to determine whether the
company has the correct paperwork to conform with the GDPR Act og 2018.
Please contact us about your requirements and we can give you a quote for this work.
Key Takeaway
Failure to ensure your suppliers are compliant can result in severe penalties from the ICO, as seen in
cases where pharmacies failed to secure patient data.
Rockwell Data corp