vendor-privacy-due-diligence
Vendor Privacy Due Diligence
Overview
GDPR Article 28(1) requires controllers to use only processors providing "sufficient guarantees to implement appropriate technical and organisational measures" to meet GDPR requirements and protect data subject rights. This obligation means controllers must conduct thorough privacy due diligence before engaging any vendor that will process personal data. The European Data Protection Board (EDPB) Guidelines 07/2020 on controller and processor concepts reinforce that this assessment must be documented and proportionate to the risk involved.
At Summit Cloud Partners, the Vendor Privacy Due Diligence Program establishes a structured process for evaluating prospective vendors before any personal data processing begins.
Due Diligence Framework
Phase 1: Initial Screening
Before engaging in detailed evaluation, determine whether the vendor will process personal data at all.
Processing Determination Checklist: