The flow of personal data through your business will often involve transferring data to third-party vendors and suppliers. It is a vital part of your responsibilities to ensure the ongoing protection of this data. Assessing the GDPR compliance environment of your third-party vendors and suppliers should form a crucial part of your due diligence and risk management.
Tacita's vendor services can assist you with: mapping how personal data flows out of your business, performing assessments for the benefit of risk management, as part of supplier onboarding, or as part of due diligence for mergers and acquisitions.
Map Personal Data Outside Of Your Business
Understanding how data flows to your third parties and their sub-processors is a crucial part of identifying weak links in the personal data you control.
Annual Risk Management
Assess the GDPR environment of your vendors as part of an annual risk management strategy.
Merger and Acquisition Due Diligence
Perform due diligence for new suppliers or as part of mergers and acquisitions.
Third Party Mapping
Discover the 'supply chain' of personal data within your business. As part of your responsibilities, when engaging with a third party, you should ask yourself the following questions:
- Do you fully understand where you send personal data to?
- Do you know the destination countries of the data?
- Do you know of any onward transfers to fourth parties?
- Do you know if these third parties use sub-processors?
- Are you aware of the technical and organisaitonal measures that these third-party processors are using?
- Do you know if the correct contracting is in place between processors and sub-processors?
- How is personal data managed when a contract with a third party ends; are appropriate retention schedules in place?
Tacita's supplier mapping service can assist you in discovering these answers, ensuring you can keep on top of your data protection responsibilities.
Third Party Assessments
Annual risk assessments are frequently becoming part of business strategy and due diligence. Discovering how well your third parties are adhering to data protection best practices is a critical part of understanding where weak links or potential breach avenues may occur. Tacita can perform GDPR Third Party Assessments for the you. These assessments will:
- Allow you to understand how your third parties are managing the personal data which you are providing to them.
- Encourage good business practices in your third-party vendors.
- Allow you to develop an understanding of risks to your business, helping you to develop a risk management strategy.
- Allow your business to demonstrate a commitment to excellent data protection practices.
For detailed information on this service please contact us.
Merger and Acquisition Services
Mergers, acquisitions, and divestments bring with them risks, which is why due diligence is a huge aspect of any negotiations. Unfortunately, compliance with the GDPR and other data protection laws is an often-overlooked aspect of this field. The Marriott International hotel chain is a prime example. Marriott were fined £18.4 million for a data breach which occurred under the management of 'Starwood Hotels Group', a company which was later acquired by Marriott. Despite Marriott having no hand in the management which caused this breach, they were left to foot the bill. Read more about this story here.
Performing a thorough GDPR assessment prior to a merger or acquisition can help you make an informed decision. To discuss how Tacita can assist with this process please contact us to discover your specific needs.