Vendor Risk Management

Build Supply Chain Confidence.

Most modern business operations involve frequent exchanges of personal data with third parties. Data is shared with cloud services, customer relationship management systems, consultants, exported human resources functions, marketing agencies and more. It is crucial that organisations protect personal data at all stages within these supply chains. Tacita’s Vendor Risk Management service manages this for you.

An illustration of a woman using Tacita's Vendor Risk Management service to analyse the GDPR compliance of her third parties.

Build Confidence

Be confident that your have performed your due diligence and investigated your personal data supply chain.

Reduce Risk

Reduce the risk of breach and non-compliance by proactively fixing issues before they arise.

Auditing Made Easy

Trust auditing to the experts. Tacita will investigate your third parties for the most common indicators of GDPR compliance.

Reduce the risk to your organisation

Send a message to one of our team and we will help you to build confidence in your supply  chain.

How does it work?

Tacita will conduct audits of your third parties to assess the third-party GDPR risk to your business.

Illustration of a man analysing a huge graph.

Vendor Risk Management FAQs

Tacita can audit any third parties who are defined under the GDPR as either your ‘Processors’ or ‘Sub-Processors’. For a typical business, this would include most of the third parties who you transfer personal data to.

Under the GDPR, it is a legal requirement that when there is a transfer of personal data between a data controller and a data processor, that there is a contract in place. This contract must have a clause that allows the data controller to audit data processors to check for GDPR compliance. Similar requirements exist for processor to sub-processor contracts.

Unfortunately, there is no legal requirement to have this clause in place for joint controller relationships, but some third parties who are classed as joint controllers may still be happy to comply with a reasonable GDPR audit request.

Data Processors or Sub-Processors are required to comply with reasonable requests for GDPR audits from their Data Controller. Processors or Sub-Processors who refuse audit requests would be in breach of contract.

Tacita asks a selection of 35 questions that cover basic GDPR management practices. These questions include the following topics: GDPR governance, training and awareness, policies, procedures, and third party transfers.

These questions are not onerous; the majority are multiple choice. An organisation with competent GDPR management should be able to answer them within 20 minutes.

Please reach out to us if you would like to see a copy of the questions.

Tacita will produce a dashboard of results. The dashboard will contain a colour coded summary of all organisations along with a breakdown of individual third parties. We will include an average score for all organisations and will indicate any third parties that are considered a risk.

Tacita recommends taking a risk management approach to issues that are found. Not all issues are equal and not all need to be resolved.

Take the example of a marketing consultant who has been given read-only access to parts of your marketing database. They provide advice and guidance for your marketing team. You may deem that the nature and scope of the data which this marketer has access to is low risk and that you have sufficient protections in place already. As such, remedial actions may not be needed.

Conversely, if you are sending children’s medical data to a third party who has scored low in Tacita’s audit, this is likely to be a high priority to remedy.

Yes. Tacita can work directly with your third parties to remedy issues that are found. We have ready to go solutions for the most common GDPR management issues that are identified.