Supply Chain Compliance with GDPR

Author: Rene Garcia


By now you have probably heard the acronym GDPR, especially within the context of international business. In summary, the European Union is taking steps to protect the data of individuals and businesses by enacting tough new laws. One of the components of these laws is the General Data Protection Regulation which will affect any business that offers goods or services to Europe. Supply chains that work with entities in the EU need to ensure that they are in compliance by the time the laws take effect in May of this year.

Preparing for GDPR

The practices discussed here aren’t meant to be comprehensive, but there are sensible steps to take. The first is knowing exactly what the complete supply chain looks like. Companies must carry out a full audit of the supply chain to ensure data is being used and safeguarded correctly. With May a little over a month away, effort should be focused on where risk is highest from a data privacy perspective.

Identify what data will be collected, what will be shared, the data’s purpose, how long it can be kept, and what happens to the data at the end of the contract. These specifics should be written into every new supplier contract and added to every existing supplier contract. This would be an excellent time to review supply chain partners’ access to data to ensure they aren’t receiving information they don’t need.

Transparency and accountability are also key elements of GDPR. One of the mandates is that businesses must have a breach log to record and track any data breach – large or small, actual or suspected. While specifics on what details need to be contained in the log haven’t been defined, the best practice is to record as much information as possible. At a minimum, the log should contain when the breach took place, how the breach happened, the response to the breach, and the identities of stakeholders who managed the response. This information will help demonstrate an intent to comply.

It’s important to remember that – among many new rules – GDPR introduces a new accountability principle. This means that a company needs to not only comply but also demonstrate compliance. Comprehensive but proportionate governance measures are required, showing data compliance measures have been integrated into data processing activities at all stages.

GDPR Reaches Outside the European Union

All supply chains that extend outside of the EU must handle all data that passes through the EU as if it were still contained within the EU. So, if a supplier collects data from within the EU and then passes that data outside of the EU, then that data is still subject to GDPR. If that data is handled out of compliance anywhere along the supply chain, then the company handling the data incorrectly is exposing themselves to tremendous fines that can include 20 million euros or 4% of annual global turnover.

Building a supply chain that is compliant with GDPR starts with working with partners you can trust. Avetta is your first step in discovering suppliers, vendors, and contractors that focus on safety, regulation compliance, and certifications.

Learn more at