Third‑party cyber risk should be assessed, monitored, and documented based on the personal data suppliers handle.

Why this matters

Suppliers are a common source of GDPR breaches.

Key controls

• Due diligence before onboarding
• Security and GDPR clauses in contracts
• Ongoing monitoring
  
  

Role of IT

• Assess technical controls and use security features
• Flag high‑risk vendors
• Support procurement decisions
  
  

Evidence regulators expect

• Supplier risk management
• Incident handling processes