Supplier Due Diligence Step by Step: Are you sharing personal data with a third party organisation?
Sharing personal data with a third-party organisation?
Supplier due diligence is about the contracts between controllers and processors. As a controller you determine the purpose and means of the processing (Article 4 (7)) and are responsible for ensuring processors (i.e. suppliers and third-parties) have implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk for any data processed.
Why is due diligence important?
As a data controller, the UK GDPR places an obligation on your school to only use data processors (suppliers) who can provide you with sufficient guarantees that they have appropriate technical and organisational security measures in place that meet the requirements of the UK GDPR. In addition to this, you are also required to put in place a service level agreement/ written contract with all of your data processors. These agreements/contracts should fulfil certain requirements set out in the UK GDPR. Further information about the importance can be found in our : Carrying out Supplier Due Diligence article.
Supplier Due Diligence Step by Step
Step 1: Initial Screening: Complete the DPIA Lite Form
The DPIA Lite form asks questions about the software you want to use and it will do a check against our supplier database. You will then need to answer the following questions:
- What will you use the software for?
- What are the intended benefits and outcomes?
- Are you using the software/supplier already?
Step 2: Deeper Due Diligence: DPO Assessment
- The DPO will assess based on the information we have. If it is low risk it will be signed off.
- If further information is required move to step 3.
Step 3: Full DPIA: More information required
- You will be asked for more information
- You may be asked to send off our supplier due diligence form and potentially our AI form to obtain more information.
- Once received, we will re-assess and advise.
