ICO data protection fee campaign launchesJanuary 13, 2020
Do I need to register with the ICO and pay a data protection fee?February 3, 2020
Is your small business GDPR fit? Demonstrate GDPR compliance as a supplier
We look at how small businesses are being asked to demonstrate GDPR compliance as part of procurement processes for bigger organisations that are now getting to grips with GDPR in the supply chain.As the General Data Protection Regulation (GDPR) becomes more embedded into everyday business practice, the imperative for organisations to validate their compliance through their supply chain is becoming evident. Increasingly organisations are being asked to contractually confirm and provide evidence of their implementation of the appropriate technical and organisational measures to comply with legislation.
Demonstrating GDPR compliance to become ‘approved supplier’Our clients have been feeding back to us experiences in this area to help support our continuing evolution of our online GDPR compliance support tool.
In our experience, larger organisations are now seeking evidence such as policies, training records and reporting protocols before allowing organisations to become an ‘approved supplier’. This can represent a challenge for small businesses who do not necessarily have the in-house skills needed. Thankfully all such records, training and evidence is provided through Astrid and this has been helpful for our clients who have been challenged through the procurement process.
GDPR questions being asked of small businessesThere are some key areas where it will be important to ensure you have rigorous processes in place to be able to demonstrate compliance as part of a business procurement process:
- Can you affectively describe your organisation’s approach to data protection and data security?
- What training and procedures do you have in place to ensure your staff know how to deal with confidential and personal data?
- What are your procedures for identifying and dealing with a data breach?
- Have you fully mapped all the personal data flows within your organisation?
- How can you ensure that any sub-contractors are also compliant with GDPR?
Finally, if you are completing a tender or a PPQ and you will need to consider the personal data that you are sharing through that process and how this is identified and handled within your submission. This approach in itself this will be a practical demonstration of how compliant your small business is with data protection legislation.