Making sure your partners protect data as carefully as you do

Most organisations rely on third parties such as cloud services, payroll providers, marketing platforms, or IT contractors  to help process personal data. The UK GDPR calls these organisations processors. Working with them is normal, but it needs to be done safely and transparently.

If you remember nothing else, remember this: you can outsource the work, not the responsibility.

1. Why suppliers matter for data protection

When a supplier processes personal data on your behalf, you remain legally accountable as the controller. The supplier must follow your instructions and meet GDPR standards, but you are still responsible for ensuring that they do.

Examples include:

• A payroll company managing employee salary details
• A marketing firm handling customer contact lists
• A cloud provider hosting HR files
• An IT contractor accessing user data to provide support

Every one of these relationships must be covered by a formal written agreement.

2. The importance of written contracts

Article 28 of the UK GDPR requires a data processing agreement (DPA) between the controller and the processor. This document explains what personal data is processed, why, how it will be protected, and what happens when the contract ends.

Your DPA should include:

• The subject and purpose of the processing
• The categories of personal data and individuals involved
• Security requirements and confidentiality
• Rules on sub-processors
• Help with data subject requests and breaches
• Deletion or return of data at the end of the contract
• Audit and inspection rights

Without this written contract, both parties are technically in breach of the law.

3. Checking supplier compliance

Before choosing or renewing a supplier:

• Review their privacy and security documentation.
• Ask about certifications such as ISO 27001 or Cyber Essentials.
• Check where their servers are located. If data transferred outside the UK or EEA, additional safeguards are required.
• Ensure they have a process for reporting breaches quickly.

Ongoing monitoring is just as important as the initial assessment. Review their compliance annually or whenever major changes occur.

4. Sub-processors and supply chains

Suppliers sometimes use other suppliers, known as sub-processors. They must get your written approval before appointing any sub processor . Each link in the chain must apply the same level of data protection.

If your supplier uses a tool or subcontractor based overseas, ensure international transfer rules are followed,  such as using approved transfer mechanisms or standard contractual clauses.

5. Ending the relationship safely

When a contract finishes, personal data must be deleted or returned.

• Ask for written confirmation that all data and backups have been securely removed.
• Make sure access credentials are revoked.
• Keep a record of when and how the deletion was confirmed.

Failure to manage data properly at contract end is a common source of breaches.

6. Monday morning takeaways

If you work with suppliers:

1. Always have a written data processing agreement.
2. Check where data is stored and who has access.
3. Approve sub-processors in writing.
4. Review security standards regularly.
5. Ensure deletion or return of data when the contract ends.

If you manage procurement or vendor relationships:

1. Involve your privacy lead early in the process.
2. Keep a register of all processors and sub-processors.
3. Review agreements yearly.
4. Build privacy clauses into all supplier contracts.

Quick summary

In plain terms

When others handle your data, you must still ensure it is protected. Contracts, checks, and communication keep responsibility clear. GDPR expects controllers to know who is doing what with personal data and to prove it. A good supplier partnership is built on trust, backed by paperwork.