Vetting Suppliers and Signing Data Processing Agreements
## The short answer
Whenever you let another company handle personal data on your behalf — your email platform, cloud host, accountant, CRM, or payroll provider — GDPR treats them as a "processor" and treats you as the "controller" who remains responsible. You must only use processors that provide sufficient guarantees about protecting the data, and you must have a written contract, commonly called a data processing agreement (DPA), that sets out specific terms. If a supplier mishandles personal data and you never vetted them or signed a proper contract, the failing lands on you, not just on them.
In other words, you cannot outsource the data and outsource the responsibility along with it.
## Controller versus processor
The distinction shapes everyone's duties:
- A **controller** decides *why* and *how* personal data is processed. That is usually you.
- A **processor** acts on the controller's instructions. That is the supplier.
Most suppliers that touch your customer or staff data are processors. Some, however, act as controllers in their own right for certain purposes — payment providers are a common example. Knowing which role each supplier plays tells you what contractual terms you need.
## What a data processing agreement must contain
GDPR specifies the minimum terms a controller-processor contract must include. A compliant DPA should require the processor to:
- **Only process data on your documented instructions.**
- **Ensure staff handling the data are bound by confidentiality.**
- **Apply appropriate security measures.**
- **Only use sub-processors with your authorisation**, and pass the same obligations down to them.
- **Help you respond** to individuals exercising their rights, such as subject access requests.
- **Help you meet** your own obligations on security and breach notification.
- **Delete or return the data** at the end of the contract.
- **Provide information** to demonstrate compliance and allow audits.
Many reputable suppliers offer a standard DPA you can accept. Read it rather than rubber-stamping it, and make sure it actually covers these points.
## Vetting a supplier before you sign
Due diligence is part of the obligation, not an optional extra. Before entrusting personal data to a supplier, consider:
- **Security posture** — do they hold recognised certifications or follow a credible security framework?
- **Where the data is stored** — is any of it outside the UK, and if so, how is it protected?
- **Sub-processors** — who else will touch the data downstream?
- **Breach handling** — how and how quickly will they tell you about an incident?
- **Track record** — any history of serious incidents?
Keep a short record of your assessment. If you ever have to justify your choice, that note matters.
## International transfers
If a supplier stores or accesses data outside the UK, you need an appropriate safeguard for that transfer, such as approved contractual clauses or an adequacy decision covering the destination country. This is easy to overlook with cloud services whose servers may sit abroad. Ask the question explicitly: *where does our data physically live, and who can access it from where?*
## Keep a supplier register
Maintain a simple list of every supplier that processes personal data for you, noting what data they handle, their role (processor or controller), whether a DPA is in place, and where the data is stored. This register is invaluable when answering questions, managing breaches, or reviewing your supply chain. It also surfaces forgotten tools quietly holding customer data.
## Ongoing, not one-off
Vetting is not a single event at signing. Suppliers change their practices, add sub-processors, or move data. Build in a periodic review of your key processors, and pay attention to notices they send about changes to their terms or sub-processor lists. Treating the relationship as something to monitor — not set and forget — is the diligence we apply when building enterprise-grade products at neart.ai, where the security of the whole chain matters, not just our own systems.
## Common mistakes
- **Assuming the supplier's compliance covers yours** — it does not; you remain responsible.
- **Never reading the DPA** before accepting it.
- **Forgetting smaller tools** — a survey app or a niche plugin still counts.
- **Ignoring international transfers** baked into cloud services.
- **No record of vetting**, so you cannot show you exercised diligence.
## Practical takeaway
List every supplier that handles personal data for you. For each, confirm a data processing agreement is in place, check it covers the required terms, note where the data is stored, and keep a brief record of why you trust them. Review the list periodically. Choosing and contracting with processors carefully is not bureaucracy — it is how you keep control of data that has left your own four walls.