Vendor Due Diligence for Privacy
When you bring in a new supplier that will handle personal data, you are trusting them with your customers' information — and you remain accountable for it. Due diligence checks they are up to the job.
This is general guidance on what to assess before signing up.
Questions to Ask
- What data will they access and why?
- Where will the data be stored?
- What security measures and certifications do they hold?
- Do they use sub-processors, and who?
- How do they handle breaches and rights requests?
Paperwork to Secure
Obtain their data processing agreement, review their security documentation, and confirm the safeguards for any overseas transfers before you go live.
Keep It Proportionate
Match your scrutiny to the sensitivity and volume of the data involved. A tool handling health records warrants far more checking than one handling a newsletter list.
| Risk level | Suggested diligence |
|---|---|
| Low (no personal data) | Light — standard terms |
| Medium (contact data) | DPA + security review |
| High (special category) | Full assessment + DPIA |
If you need a hand with any of this, your Progressive Robot delivery team is ready to help. Raise a ticket from the Support area of your client portal or speak to your account manager and we will guide you through the next steps.