Supplier Due Diligence
As a Controller you determine the purpose and means of the processing (article 4(7)) and are responsible for ensuring processors (i.e. suppliers and third parties) have implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk for any data processed.
Please refer to the ICO guidance below for more detailed information:
What responsibilities does a controller have when using a processor?
The controller is responsible for assessing that its processor is competent to process personal data in line with the UK GDPR’s requirements. This assessment should take into account the nature of the processing and the risks to the data subjects. This is because Article 28(1) says a controller must only use a processor that can provide “sufficient guarantees” (in particular in terms of its expert knowledge, resources and reliability) to implement appropriate technical and organisational measures to ensure the processing complies with the UK GDPR and protects the rights of individuals.
Some examples of the considerations controllers should have when assessing whether the processor provides “sufficient guarantees” could include:
- the extent to which they comply with industry standards, if these apply in the context of the processing;
- whether they have sufficient technical expertise to assist the controller, eg in carrying out obligations under Articles 32-36 of the UK GDPR (technical measures, breach notifications and DPIAs);
- providing the controller with relevant documentation, eg their privacy policy, record management policy and information security policy; and
- adherence to an approved code of conduct or a certification scheme (when they become available).
This is not an exhaustive list, and ultimately it is for the controller to satisfy itself that the processor provides sufficient guarantees in the context of the processing. Whether the guarantees are sufficient will depend on both the circumstances of the processing and the risk posed to rights of individuals.
Once the controller has chosen a suitable processor, it must put in place a contract or other legal act that meets all the requirements of Article 28(3) and give the processor documented instructions to follow (either in the contract or separately).
However, the controller’s responsibilities do not end there. Controllers should ensure a processor’s compliance on an ongoing basis, in order for them to satisfy the accountability principle and demonstrate due diligence. In particular, Article 28(3)(h) explicitly requires the processor to allow for and contribute to audits and inspections, carried out either by the controller or a third party appointed by the controller. The methods used to monitor compliance and the frequency of monitoring will depend on the circumstances of the processing.
What is a controller’s liability when it uses a processor?
A controller is primarily responsible for its own compliance and ensuring the compliance of its processors. This means that, regardless of the terms of the contract with a processor, the controller may be subject to any of the corrective measures and sanctions set out in the UK GDPR. These include orders to bring processing into compliance, claims for compensation from a data subject and administrative fines. For more details about how we exercise our powers, please see the taking action page on our website.
An individual can bring claims directly against a controller if the processing breaches the UK GDPR, in particular where the processing causes the individual damage.
A controller will be liable for any damage (and any associated claim for compensation payable to an individual) if its processing activities infringe the UK GDPR.
However, a controller will not be liable for damage resulting from a breach of the UK GDPR if it can prove it was not in any way responsible for the event giving rise to the damage.
If a processor is involved in the processing, the individual making the claim for compensation can claim against either party. If a controller has to pay full compensation for damage suffered by individuals, it may be able to claim back all or part of the amount of compensation from a processor involved in the processing, to the extent that the processor is at fault.
You can easily access and check against the DPE master third-party supplier lists prior to asking a third-party supplier to complete the form. To do this click on the Third-Parties and Contracts or Software Management widget from the DPE Dashboard. Select generic processes to view the list. Some third-parties are still being assessed, although this will give you a starting point in selecting the third-parties and suppliers you use. More updates and information including the guide can be obtained from the Examples and Advice tab.
If the supplier is not on the third-party supplier list or you wish to do your own due diligence, then please use the DPE Supplier Due Diligence form:
document Supplier Due Diligence Form (51 KB)
If further due diligence advice is needed once the form is returned to you, or you just need advice, raise a ticket through the Knowledge Bank (
If you're not sure of anything please as above, email: dpo@dataprotection.
Contracts Register
ICO Reprimands a School
Product Focus on Checklists : Supplier Due Diligence
Product Focus on Checklists : DPIA
How the Record of Processing Can Help You
Carrying out Supplier Due Diligence
Have a question about supplier due diligence? Ask it here.