Global Supply Chain Compliance with GDPR

Author: Rene Garcia


By now you have probably heard the acronym GDPR, especially within the context of international business. In summary, the European Union is taking steps to protect the data of individuals and businesses by enacting tough new laws. One of the components of these laws is the General Data Protection Regulation which will affect any business that offers goods or services to Europe. Supply chains that work with entities in the EU need to ensure that they are meeting the GDPR compliance requirements by the time the laws take effect in May of this year.

Preparing for GDPR

The practices discussed here aren’t meant to be comprehensive, but there are sensible steps to take. The first is knowing exactly what the complete supply chain system looks like. Companies must carry out a full audit of the supply chain to ensure data is being used and safeguarded correctly. With May a little over a month away, effort should be focused on where risk is highest from a data privacy perspective.

Identify what data will be collected, what will be shared, the data’s purpose, how long it can be kept, and what happens to the data at the end of the contract. These specifics should be written into every new supplier contract and added to every existing supplier contract. This would be an excellent time to review supply chain partners’ access to data to ensure they aren’t receiving information they don’t need.

Transparency and accountability are also key elements of GDPR. One of the mandates is that businesses must have a breach log to record and track any data breach – large or small, actual or suspected. While specifics on what details need to be contained in the log haven’t been defined, the best practice is to record as much information as possible. At a minimum, the log should contain when the breach took place, how the breach happened, the response to the breach, and the identities of stakeholders who managed the response. This information will help demonstrate an intent to comply.

It’s important to remember that – among many new rules – GDPR introduces a new accountability principle. This means that a company needs to not only comply but also demonstrate compliance. Comprehensive but proportionate governance measures are required, showing data protection compliance measures have been integrated into data processing activities at all stages.

GDPR Reaches Outside the European Union

All supply chains that extend outside of the EU must handle all data that passes through the EU as if it were still contained within the EU. So, if a supplier collects data from within the EU and then passes that data outside of the EU, then that data is still subject to GDPR. If that data is handled out of compliance anywhere along the supply chain, then the company handling the data incorrectly is exposing themselves to tremendous fines that can include 20 million euros or 4% of annual global turnover.

Building a supply chain that is compliance system that is GDPR compliant starts with working with partners you can trust. Avetta is your first step in discovering suppliers, vendors, and contractors that focus on safety, regulation compliance, and certifications.

Learn more at

How is your organization handling it?

We're taking steps internally to ensure we can support you during this crisis by:

business continuity plan illustration

Maintain a current Business Continuity Plan

sanitized work environment illustration

Promote a safe, clean and sanitized work environment

Work from home illustration

Enable employees to work remotely

Office Distancing illustration

Institute Office Distancing policies

travel restriction illustration

No visitors to the office

travel restriction illustration

Encourage employees to self-educate using online resources (WHO)

travel restriction illustration

Restrict travel—all non-essential travel is forbidden

To learn more, we encourage you to visit our COVID-19 Resource Library.

Visit Resource Center