Vendor Management for GDPR: How to Audit Your Third-Party Tools

Organizations that rely on third-party tools to handle personal data should audit vendors to meet the European Union's (EU) General Data Protection Regulation (GDPR) requirements.

This article explains what the GDPR is, why organizations are liable for vendor noncompliance, and how to conduct a GDPR vendor audit to reduce compliance risk.

What Is the GDPR?

The GDPR is the EU's primary data protection law. It requires applicable organizations to protect personal data and honor EU individuals' privacy rights.

Personal data is information that can be used to identify a person, including names, ID numbers, and health and financial data.

The GDPR gives individuals ('data subjects') enforceable rights as outlined in Chapter III (Article 15 to Article 22), including the rights to access, edit, and delete their personal data.

The GDPR applies to organizations in the EU that process personal data, as well as those located outside of the EU that offer goods or services to or track the behavior of individuals in the EU.

Data controllers (those who decide how and why to process personal data) must take steps to comply with the GDPR, including:

• Having a legal basis for processing personal data
• Providing a Privacy Policy that explains their data processing practices
• Keeping personal data secure
• Ensuring the collection of personal data is limited to what's necessary to fulfill specified purposes
• Maintaining Data Processing Agreements (DPAs) with data processors (entities that process personal data on the controller's behalf)
• Appointing a representative within an EU member state (if their organization is located outside of the EU)
• Designating a Data Protection Officer (DPO) to ensure GDPR compliance (if necessary)
• Enabling individuals to exercise their privacy rights
• Maintaining records of data processing activities
• Conducting Data Protection Impact Assessments (DPIAs) (when necessary)

Article 6 of the GDPR explains that organizations must have a legal basis for processing personal data, such as consent, legitimate interests, or to perform a contract.

Why You're Liable for Vendor Violations Under the GDPR

Under the GDPR, data controllers are responsible for ensuring that third-party vendors process personal data in compliance with the law. That means that while you can delegate data processing to third-party processors, you are still accountable for how personal data is handled.

The GDPR requires data controllers to:

• Only use data processors that provide "sufficient guarantees" of GDPR compliance
• Have binding contracts in place
• Include audit rights in DPAs
• Take action if violations occur

Article 28 of the GDPR explains that data controllers must ensure that personal data processed on their behalf is handled in accordance with the GDPR and governed by a contract that specifies how the data is to be processed.

You have to do your due diligence when using third-party tools that process personal data and make sure any personal data you share with vendors receives adequate protection required by the GDPR.

GDPR penalties can be significant. Failure to comply with GDPR requirements can result in serious fines: up to €20 million, or 4% of your annual global revenue from the previous year, depending on which provisions were breached. That's not to mention damage to your reputation.

Unless you can prove that you were "not in any way responsible for the event giving rise to the damage," you can be held fully responsible for GDPR violations caused by a noncompliant third party. Under Article 82 of the GDPR, both controllers and processors can be liable to individuals for damage caused by GDPR-infringing processing, and liability can be "joint and several" (meaning a claimant may pursue one party for the full amount).

Article 83 of the GDPR states that violations are subject to fines of up to the higher amount of €20 million or 4% of the organization's annual global revenue from the preceding financial year.

What Is a GDPR Vendor Audit?

A GDPR vendor audit is a process where a company can confirm that the third-party tools and partners that process personal data on its behalf comply with the GDPR.

Vendor audits help demonstrate accountability under GDPR Article 5(2), and should be conducted during onboarding, annually, after incidents, and when the scope of your data processing changes.

Vendor audits are typically risk-based: run due diligence before onboarding, re-check after incidents or material changes, and perform periodic reviews on a cadence proportionate to the sensitivity/volume of data.

How to Conduct a GDPR Vendor Audit

Conducting a GDPR vendor audit involves reviewing how third-party vendors process personal data.

Key steps include mapping vendor data processing, confirming the existence of DPAs, checking safeguards for data transfers outside of the EU, reviewing vendor security and privacy practices, identifying compliance risks and remediation actions, and determining when to switch vendors due to compliance risk.

Let's take a look at how to implement each step of a GDPR vendor audit.

Step 0. Confirm the vendor's GDPR role (processor vs. controller vs. joint controller)

Before you review contracts, confirm the vendor's legal role because the required agreement changes:

• If the vendor only processes personal data on your documented instructions, it's typically a processor (Article 28).

• If the vendor determines its own purposes (for example, using customer data to improve its own product or build profiles), it may be an independent controller for that use. This means that Article 28 terms alone won't cover the relationship.

  In some setups, you and the vendor can be joint controllers for specific processing steps (for example, where embedding a third-party plugin enables collection/transmission to that third party), which triggers Article 26 allocation-of-responsibility requirements.

Business takeaway: Ask one practical question: "Who decides the purposes and essential means of this processing?" Document the answer in your vendor register, because it determines whether you need an Article 28 DPA, an Article 26 joint controller arrangement, or a controller-to-controller data sharing contract.

Which contract do I need?

Step 1. Map Vendor Data Processing

Mapping vendor data processing involves:

• Identifying all third-party vendors that process personal data
• Documenting what data they process, how and why they process it, and where they store it
• Ensuring personal data is handled in compliance with the GDPR

You'll want to check all third-party tools, platforms, service providers, and integrations that process personal data on your behalf.

For each vendor, you should record:

• What kinds of data they handle (such as names, emails, payment information, and health data)
• Why they process personal data
• Where they store the data and how long they retain it
• The reasons and legal bases for processing the data
• Whether the vendor uses subprocessors (third parties a processor uses to process personal data on behalf of a controller)

Article 30 of the GDPR states that controllers must maintain a record of processing activities that includes the reasons for the data processing, the recipients to whom personal data will be disclosed, and a description of the data subjects and types of personal data, among other information.

If you have a smaller organization, you can map vendor data processing with a basic spreadsheet; data mapping tools such as OneTrust or BigID might be better options for larger organizations.

OneTrust helps organizations map data flows to get a centralized view of how data moves across their systems, vendors, and data processing activities.

Whichever solution you use to map vendor data processing, it's important to review the map periodically and update it as new vendors are added or services or the scope of data processing changes.

Step 2. Confirm Data Processing Agreements (DPA) Are in Place

A DPA is a legally binding contract between a controller and a processor that is required under the GDPR. It contains information about the purpose and duration of the data processing, the types of personal data and data subjects involved, and the data controller's rights and responsibilities.

A DPA should require that the processor agrees to:

• Follow the controller's instructions for processing personal data
• Keep the personal data they process confidential and secure
• Ensure subprocessors comply with the GDPR
• Assist the controller in responding to data subject requests
• Support the controller in fulfilling GDPR obligations
• Delete or return personal data as instructed by the controller
• Cooperate with audits or inspections as requested
• Immediately inform the controller if the processor believes an instruction violates the GDPR

Article 28 of the GDPR lists the information that a DPA should contain, including that the processor agrees to assist the controller in responding to data subject requests, complying with the GDPR, deleting and returning personal data, and participating in audits and inspections.

Many major third-party service providers, such as MailChimp, Google Analytics, or PayPal, already have a standard DPA available for review on their websites.

MailChimp's Data Processing Addendum explains that it only processes Customer Data in accordance with the Customer's instructions.

It's important to only use third-party vendors that make adequate data protection guarantees.

You can do this by reviewing their DPA and ensuring that it covers:

• Data processing scope
• Security measures
• Information about subprocessors
• Audit rights
• Data return and deletion at the end of service

If a third party's DPA isn't sufficient for GDPR compliance, you can request any changes needed. Be sure to keep a record of the DPA and any changes made to it for audit purposes.

If you're making your own DPA, GDPR.eu offers a DPA template that you can use as a guideline to ensure your DPA contains the appropriate information.

GDPR.eu's DPA template includes information about audit rights and data transfer, among other clauses.

What "audit rights" look like in practice: Article 28 expects processors to allow and contribute to audits, but this does not always mean on-site inspections. The key is that the controller can demonstrate it selected a processor with "sufficient guarantees" and monitors those guarantees on an ongoing basis.

Step 3. Check Safeguards for Data Transfers Outside the EU

The GDPR requires controllers and processors that transfer personal data outside of the EU to make sure certain safeguards are in place and that enforceable data subject rights and legal remedies are available. Personal data transferred outside the EU must receive essentially equivalent protection as provided by the GDPR.

The EU has adopted an adequacy decision for the EU-US Data Privacy Framework (DPF), which means that personal data can be transferred outside of the EU to certain US companies that have self-certified under the DPF and are listed on the official DPF registry without additional transfer safeguards.

You can search the DPF list by typing in the name of an organization.

Companies that are not listed on the DPF registry need to use certain tools, such as standard contractual clauses (SCCs) or binding corporate rules (BCRs), when transferring personal data between the EU and the US.

The European Commission issues SCCs, which are pre-approved legal contracts that businesses can use to transfer personal data from the EU to the U.S.

BCRs are enforceable data protection policies that multinational businesses can use to comply with the GDPR when conducting data transfers internally. A supervisory authority can approve BCRs if they are legally binding, grant enforceable rights to data subjects, and meet GDPR requirements.

You should check the DPF registry to see if third-party vendors are listed. If not, check their DPAs or other legal documents to see if they use SCCs or BCRs to protect personal data.

Mailchimp's Data Processing Addendum explains that it incorporates SCCs to protect data transferred outside of the European Economic Area (EEA) that is not covered by the DPF.

Post-Schrems II reminder: transfers usually require more than picking a "tool." Even when you rely on Standard Contractual Clauses (SCCs) or another Article 46 transfer mechanism, you should assess whether the customer country's laws could undermine the protections in practice and, where needed, implement supplementary measures (technical, contractual, and organisational). This is commonly documented as a Transfer Impact Assessment (TIA), reflecting the CJEU's Schrems II judgment and the EDPB's transfer recommendations.

Step 4. Evaluate Vendor Security and Privacy Practices

Evaluating vendor security and privacy practices helps you confirm that third-party vendors protect personal data, are transparent about their processing activities, respond appropriately to security incidents and data subject requests, and comply with the GDPR.

You can do this by reviewing vendor security policies, DPAs, and Privacy Policies. These policies should describe how personal data is used, shared, and protected, and how data subjects can exercise their privacy rights.

A GDPR-compliant Privacy Policy should be clearly written, easily accessible, and include the following clauses:

• The organization's identity and contact information
• The DPO's contact info (if applicable)
• What types of personal data are processed and why
• The legal basis or bases for processing personal data
• Recipients of personal data
• Whether the personal data is transferred outside the EU
• How long personal data is retained
• A list of privacy rights and a description of how data subjects can exercise their rights
• Whether automated decision making is involved in data processing
• Security measures in place to protect personal data
• Contact details of the EU representative (if Article 27 applies)
• Right to lodge a complaint with a supervisory authority
• Where processing is based on consent, the right to withdraw consent
• Whether providing data is statutory/contractual and the consequences of not providing it
• Where data wasn't collected from the individual, the categories/source of the data

Goosehead Insurance's Privacy Policy includes information about the personal information it collects, how it keeps personal information secure, and data subjects' privacy rights.

If policy language is vague, you can ask follow-up questions. For instance, if a policy states that encryption is used, you can ask the vendor what types of personal data are encrypted and which encryption algorithms are used.

Step 5. Identify Compliance Risks and Remediation Actions

Before working with a third-party vendor, you can request that the vendor complete a GDPR compliance questionnaire to assess risk.

The questionnaire can contain questions about:

• The types of personal data processed
• Where data is stored
• How long data is retained
• Whether data is shared or transferred
• How data is protected
• Security certifications
• Data breach response protocols
• How the vendor supports data subject rights
• What policies the vendor has in place (security and Privacy Policies and DPAs)

UpGuard's GDPR Vendor Security Questionnaire Template includes questions for organizations about how they manage data privacy, their familiarity with the GDPR's data processing principles, and whether they offer a Privacy Notice, among others.

Once you have gathered information from the third-party vendor-including DPAs, security and Privacy Policies, and a completed GDPR compliance questionnaire–you can compare this data with GDPR requirements.

To comply with the GDPR, vendors should:

• Maintain a list of their data processing activities
• Have a legal basis or bases for processing personal data
• Maintain a clearly written, easily accessible, and regularly updated Privacy Policy
• Keep personal data secure (including providing adequate safeguards when transferring data outside the EU when required)
• Provide a way for data subjects to exercise their privacy rights
• Have a process in place for responding to data breaches and data subject requests
• Have a designated individual responsible for ensuring the organization's GDPR compliance
• Have a signed DPA in place (when required)
• Appoint a representative within the EU (if the organization is located outside the EU)
• Appoint a DPO (if required)

You can assign a risk level to each gap (low, medium, or high) and then define remediation actions. For example, if a vendor has an outdated or generic Privacy Policy, you can require the vendor to update their policies before choosing to work with them.

Step 6. Know When to Switch Vendors Due to Compliance Risk

If a vendor can't demonstrate GDPR compliance, refuses to fix serious issues, or exposes personal data to risk, you should replace them to protect your organization and meet GDPR requirements.

Warning signs that a vendor may not be GDPR-compliant include:

• Lack of transparency
• No DPA or Privacy Policy
• Inadequate security measures
• Excessive data collection or retention
• History of data breaches or GDPR violations or fines

Summary

The GDPR is the EU's comprehensive data protection law. It requires data controllers to ensure that the third-party vendors that process personal data on their behalf comply with the law.

A GDPR vendor audit can help you confirm that the processors you use comply with the GDPR.

The steps to conducting a GDPR vendor audit include:

1. Mapping vendor data processing
2. Confirming the existence of DPAs
3. Checking safeguards for data transfers outside the EU
4. Reviewing vendor security and privacy practices
5. Identifying compliance risks and remediation actions
6. Knowing when to switch vendors due to compliance risk