GDPR Supplier Review

The GDPR Supplier Review concentrates on the fundamental principles of GDPR and where you or your supplier should concentrate to ensure compliance to the regulation.

This tool has been developed with the assistance of Andrew Denley working with Mark Foulsham and Brian Hitchen authors of the book 'GDPR: Guiding Your Business To Compliance: A practical guide to meeting GDPR regulations' , the book can be found here on Amazon. Andrew and Brian are Certified GDPR Practitioners.

Getting a high score does not mean you are fully compliant, but it does give you clear evidence where you are aligning to the regulation and where potential further work is required to close the gap. If you required an independent assessment or would like assistance with GDPR projects please contact us.
To see a sample project select Demo


GDPR Supplier Review
Supplier Name:
information Select ‘Your Company’ to asses your company, this will enable you to display your score on the company awards page (if you have selected to display awards in your profile).

To add other suppliers select ‘New Supplier’ and add their name, this new supplier will appear in the drop down (these will not appear on the company awards page).

GDPR Supplier Compliance Rating
Score 1
Score 2
Score 3
Score 4
Score 5
information You can display your company rating on the company awards page by changing the setting in your profile.
To access your profile click on your login name, top right of this page.
You can also embed this rating on your own web page by using the code provided on your profile page.
Level 1 - Initial
Very Low compliance to GDPR
Level 2 - Managed
Low compliance to GDPR
Level 3 - Defined
Good compliance to GDPR
Level 4 - Quality
High compliance to GDPR
Level 5 - Optimised
Very High Compliance to GDPR

GDPR Supplier Review Questions Compliance Quality
Policy & Governance
informationYes - There is evidence that the supplier satisfies the requirement.
No - The supplier does not satify the requirement.
N/A - This requirement is not applicable to the supplier.
informationRed - Only verbal evidence is available to support this answer.
Amber - There is some documented evidence but it doesn't satisfy the requirement completely.
Green - There is documented evidence to support this answer.
N/A - This requirement is not applicable to the supplier.
Do you have an individual assigned and accountable for data privacy (e.g. CPO (Chief Privacy Officer), Data protection Officer)?
Is there a group responsible for supporting and implementing policies, processes and procedures within the business?
Do you have a written policy in place that describes how personal data should be processed and managed?
Do you have a data retention policy?
Processes and Procedures
Do you have processes and procedures in place to support the 'Right to Erasure' removing/disposing of data safely?
Do you have processes and procedures in place for managing data privacy breaches?
Do you have a process/procedure to support a 'Right to Erasure' request?
Do you have a process/procedure to support the 'Subject Access Request'?
Do you have a procedure to disable user accounts to systems containing privacy data when a person leaves the organisation?
Do you have a process/procedure to remove suppliers access to systems containing privacy data when a when a suppliers contract has expired or terminated?
Do you have a process/procedure to assess prospective suppliers/sub-suppliers compliance to GDPR if they are providing Data Processing Services?
Do you have a process/procedure to carry out a Data Protection Assessment when initiating new tools or processes?
Do you have processes/procedures which define how to provide and revoke logins/access to systems?
Do you have processes/procedures in place to apply the data retention policy?
Do you have processes/procedures in place to confirm personal data is only used for the intended purpose?
Physical Access
Do you control and log who has physical access to your data (i.e. paper records or Storage media)?
Do you control who has access to your buildings and have the ability to deny access to individuals?
Are there shared access area's where multiple clients have physical access to other clients data?
Where data is stored in physical documents, are they stored in an access controlled room/cabinet?
When documents contain privacy data are disposed of do you use appropriate secure means?
Are technical assets such has hard drives and components disposed of using appropriate secure means?
As a supplier do you have an asset register that is current and up to date (logging what personal data is being held in all of your systems)?
Does your asset register log 'information assets' as well as physical assets?
Application and Network Access
Do you use tools to protect your applications and network (e.g. Anti Virus software)?
Are your web and in-house applications scanned for vulnerabilities?
Do you retain system logs of user access to applications and networks for any prospective investigation purposes?
Do you undertake regular penetration tests for your application and Network undertake?
Do you have managed access controls for all application and Network (i.e. require password/logins)?
Is there a one to one relationship between passwords and users (i.e. you don’t have common logins for more than one person)?
Has your system architecture been designed so there are logic and physical separations where required?
Does a third party have access to your network?
Do you prevent users from installing their own/chosen software?
Are security patches applied to applications and hardware in a timely manner?
Do you use firewalls to protect your network?
Is your Web site protected and logically separate from personal data?
Is there a record of what personal data is being transferred outside of the organisation and whom?
Do you retain a record of all suppliers who undertake Data Processing activities on your behalf?
Does your data contain 'unique traceable data' to enable you to identify where a breach occurred?
As a supplier are all individuals who process data on behalf of you within the EU?
Do you have the facility to encrypt data when it is being transferred to external systems, clients or suppliers?
Does your data exclude 'Special category data' (i.e. you don not hold medical data, ethnic origin)?
Are users within your company prevented from exporting personal data from all systems and databases unless they have specific permission?
Is personal data only kept within the EU and never transferred outside of the EU?
Are you able to demonstrate accurate logging and the use of Personal Data in line with your Data Retention Policy?
Do you operate a company wide Risk Management system and review on a regular basis?
Are all your policies and procedures reviewed at least annually to ensure they still meet the GDPR requirements?
Is there a log maintained of data privacy breaches?
Do you have Firewalls in place that implement Intruder Detection and Intruder Prevention systems to protect your network?
Do you enforce password changes at a regular interval?
Do you enforce password strength and complexity?
Do you prevent re-use of old passwords?
Are systems locked after multiple incorrect attempts?
Is your wireless network logically separated from accessing privacy data?
Do you comply with or have certification to any approved Information Security Standards (e.g. ISO27001, Cyber Essentials, NIST)?
If you process Credit Card payments are you compliant with PCI/DSS?
Do your contracts with third parties describe how personal data will be managed, kept secured and comply with GDPR?
Are there suitable penalties within your contracts to ensure/encourage compliance?
Are there suitable reviews and reports to demonstrate compliance described within your contract (when and how)?
Where applicable, does your website have a Privacy Statement and is it compliant with the GDPR?
Does you contract describe service requests to support GDPR (i.e. remove data, update date, produce reports, service information requests)?
Do all staff undertake appropriate training on data privacy on a regular basis?
Do all project staff undertake appropriate training to enable data privacy to be designed into projects?
When providing access to systems/data are users made aware of the importance of the data and how to avoid breaking GDPR?
Do you provide warning and reminders related to data when users log in?
Is there an on boarding training for GDPR for new employees before they are granted access?