I trust you, I trust you not...

Rebecca Bada Headshot
Written by Rebecca Bada
GDPR Consultant

What is supplier due diligence and why should you do it

Supplier due diligence is an action taken by an organisation to identify and understand the credibility and suitability of a prospective partner or vendor. Conducting supplier due diligence can help guide decision-making when choosing the right vendor, detect risks with potential suppliers and protect customer data in the process. It's also considered good business practice and can help mitigate future financial and reputational damage caused by a data breach.

Performing checks is a standard approach to nearly all facets in life i.e., family, work, education, therefore supplier due diligence should not be foreign to companies. Failure to carry out supplier due diligence can lead to data breaches which can be damaging to businesses.

Many can easily fall into the trap of neglecting the data protection side of the procurement process due to a lack of due diligence. Albeit Article 28 states that a data controller must only use a data processor that can provide “sufficient guarantees” (particularly in terms of its expertise, resources and reliability) to comply with the UK GDPR and protect the rights of individuals.

Onboarding vendors to process your customers' or employees' data is implicitly stating that you trust them to process your personal data. This must be agreed upon by both parties by signing a Data Processing Agreement (DPA), as discussed in last month's blog article.

It's recommended and best practice for supplier due diligence to be an ongoing process with data controllers reviewing a processor's compliance on a continual basis. Effective and regular due diligence can help safeguard a company from suffering risks to its functionality, reputation, and finances.

Due diligence icons on a futoristic dashboard

Carrying out supplier due diligence:

Before onboarding any new supplier, there are certain principles which should be followed when carrying out supplier due diligence to minimise risks within the supply chain:

  • The supplier's suite of GDPR documentation i.e., privacy policy, information security policy
  • Their technical measures to assist with data protection impact assessments (DPIAs), breach notifications, data subject access requests (DSAR)
  • How they currently comply with industry standards and whether they are conforming to social and legal responsibilities
Effective and regular due diligence can help safeguard a company from suffering risks to its functionality, reputation, and finances
Summary card header

Case study: Data breach caused by vendors

In March 2021, Volkswagen Group of America (VWGoA) were made aware of a data breach caused by a vendor exposing over 3.3 million US customers' (both current and prospective) data online.

The stolen data included customer names, phone numbers, email addresses, and Vehicle Identification Numbers (VIN) alongside information which revealed an individuals' eligibility to purchase or lease a vehicle, and whether they had inquired about a vehicle. The file containing customer data was allegedly left unsecured on a Microsoft Azure Blob storage container which was unlawfully obtained by hackers between August 2019 and 2021. Furthermore, because the data was left exposed for such a long period of time, it is unknown how many bad actors potentially gained access to the leaked data.

The repercussions of this data breach meant that 90,000 Audi customers with the largest amounts of sensitive data leaked were offered free credit protection services, assistance in the event of identity theft, and $1 million of insurance. The data breach will also have caused VWGoA huge reputational damage. Neglecting the security of data and not performing robust due diligence makes the event of a data breach like the one experienced by VWGoA inevitable.

The breach was a direct result of Ticketmaster not assessing the security risks of implementing a chatbot on their payment page.

Lessons learned:

  • Carry out vigorous audits with data processors/vendors to ensure they have sufficient security measures in place to mitigate the risk of a data breach
  • Include mandatory security measures within data processing agreements with data processors


Supplier due diligence is an essential process when seeking new vendors as it allows organisations to make an informed decision on whether to proceed with a business partnership and should form part of business compliance strategies. Risk management is important to safeguard your business from the threat of a data breach. Furthermore, written agreements in the form of DPAs will ensure the correct security measures are in place to protect customer data and your business interests.

Get help with your data protection obligations

Bulletproof's experienced data protection officers give your business on-going support and maintenance of your data protection obligations. Find out more about our flexible, cost-effective packages.

Learn more

Related resources

Our experts are the ones to trust when it comes to your cyber security

CREST approvedCREST approvedCREST approved
Payment card industry data security standardPayment card industry data security standardPayment card industry data security standard
ISO 27001 certifiedISO 27001 certifiedISO 27001 certified
ISO 9001 certifiedISO 9001 certifiedISO 9001 certified
Government G-Cloud supplierGovernment G-Cloud supplierGovernment G-Cloud supplier
Crown commercial service supplierCrown commercial service supplierCrown commercial service supplier
Cyber EssentialsCyber EssentialsCyber Essentials
Cyber Essentials PlusCyber Essentials PlusCyber Essentials Plus

Get a quote today

If you are interested in our services, get a free, no obligation quote today by filling out the form below.

For more information about how we collect, process and retain your personal data, please see our privacy policy.