What is GDPR Compliance

The General Data Protection Regulation (GDPR) fundamentally changed how organizations handle personal data when it took effect May 25, 2018. For compliance officers managing third-party risk, GDPR introduces specific obligations that extend throughout the vendor ecosystem.

Your third parties processing EU personal data become either controllers or processors under GDPR Article 4, each with distinct compliance requirements. Controllers determine the purposes and means of processing. Processors act on controller instructions. This distinction drives your entire vendor risk assessment approach for GDPR compliance.

Every vendor touching EU personal data requires Article 28 compliant contracts, documented technical measures, and demonstrable accountability. Miss these requirements and your organization faces regulatory action—even if the violation occurred at a vendor's facility.

Core GDPR Requirements for Third-Party Risk Management

GDPR Article 28 establishes the foundation for vendor relationships involving personal data. Processors must:

1. Process data only on documented controller instructions
2. Ensure personnel commit to confidentiality obligations
3. Implement Article 32 security measures
4. Engage sub-processors only with controller authorization
5. Assist controllers with data subject requests
6. Delete or return data upon contract termination
7. Demonstrate compliance through audits

These requirements translate into specific control mappings for your vendor assessment process. Map each Article 28 requirement to corresponding controls in SOC 2 (CC6.1-CC6.3), ISO 27701 (7.2.8, 7.5.1-7.5.4), or your organization's control framework.

Regulatory Context and Framework Crosswalks

GDPR intersects with multiple compliance frameworks in your third-party risk program:

SOC 2 Alignment:

• CC1.4 and CC1.5 (Commitments and Communications) map to GDPR transparency requirements
• CC6 series (Logical and Physical Access Controls) support Article 32 technical measures
• P3.0-P8.0 (Privacy Criteria) directly address GDPR principles

ISO 27701 Mapping:

• Clauses 6.2-6.15 provide GDPR-specific controls
• Annex A controls map to Articles 25 (Privacy by Design) and 32 (Security)
• Annex D offers direct GDPR-to-ISO mapping

NIST Privacy Framework:

• Identify-P maps to GDPR data inventory requirements
• Govern-P aligns with accountability principles
• Control-P addresses technical measures

Document these crosswalks in your regulatory change management system. When GDPR guidance updates, trace impacts across all mapped frameworks.

Practical Application: Vendor Due Diligence

Your vendor assessment questionnaire must capture GDPR-specific elements:

Data Processing Assessment:

• Categories of data processed (Article 30)
• Processing purposes and legal basis (Article 6)
• Data retention periods (Article 5)
• Cross-border transfer mechanisms (Chapter V)

Technical Controls Verification:

Encryption at rest: AES-256 minimum
Encryption in transit: TLS 1.2 or higher
Access controls: Role-based with audit logs
Data loss prevention: Automated classification and blocking
Incident response: 24-hour vendor notification to support 72-hour deadline

Contractual Requirements: Standard Contractual Clauses (SCCs) for international transfers underwent major revision in June 2021. Use Commission Implementing Decision (EU) 2021/914 modules:

• Module 1: Controller to controller
• Module 2: Controller to processor
• Module 3: Processor to processor
• Module 4: Processor to controller

Industry-Specific Considerations

Financial Services: GDPR interacts with PSD2 for payment service providers. Document lawful basis carefully—consent rarely works for financial transactions. Legitimate interest assessments must balance against fundamental rights.

Healthcare: Clinical trial data under GDPR requires explicit consent (Article 9). Vendors processing health data need additional safeguards beyond standard Article 28 requirements. Reference EDPB Guidelines 03/2020.

Technology/SaaS: Sub-processor lists require active management. Implement automated tracking for vendor sub-processor changes. Many SaaS providers offer "subscription" models for updates—inadequate for GDPR. You need prior notification with objection rights.

Retail/E-commerce: Marketing technology vendors often claim joint controllership. Scrutinize these claims—most are processors requiring Article 28 agreements. True joint controllership (Article 26) requires shared purpose determination.

Common Misconceptions

"GDPR only applies in Europe" False. Article 3 territorial scope catches any organization:

• Offering goods/services to EU residents
• Monitoring EU resident behavior Location of processing irrelevant if these triggers apply.

"Consent solves everything" Consent under Article 7 requires:

• Freely given (no service conditional on consent)
• Specific and informed
• Clear affirmative action
• Withdrawable anytime Most B2B processing relies on legitimate interest or contract performance instead.

"Processors aren't liable" Article 82 creates direct processor liability for:

• Acting outside controller instructions
• Failing to meet processor-specific obligations
• Engaging unauthorized sub-processors Vendor indemnification clauses won't shield you from regulatory fines.

Audit Trail Requirements

GDPR accountability (Article 5.2) demands comprehensive audit trails:

1. Processing Records (Article 30):

   • Controller and processor contact details
   • Processing purposes and categories
   • Recipient categories
   • International transfers
   • Retention periods
   • Technical/organizational measures

2. Consent Management:

   • Timestamp of consent
   • Specific consent language shown
   • Method of consent capture
   • Identity verification performed

3. Data Subject Requests:

   • Request receipt timestamp
   • Identity verification steps
   • Actions taken with timestamps
   • Third parties notified

Configure your GRC platform to capture these elements automatically. Manual tracking fails at scale.

Frequently Asked Questions

Do US companies need GDPR compliance for EU customers?

Yes. GDPR Article 3(2) applies to any organization offering goods or services to EU data subjects, regardless of the organization's location. Processing location doesn't matter—customer location does.

What's the difference between a processor and sub-processor under GDPR?

A processor directly contracts with the controller to process personal data. A sub-processor contracts with the processor, not the controller. Both need Article 28 compliant agreements, but sub-processors require prior specific or general authorization from the controller.

How do Standard Contractual Clauses work after Schrems II?

Post-Schrems II, SCCs alone aren't sufficient. Conduct transfer impact assessments (TIAs) documenting: local surveillance laws, data access practices, and supplementary measures implemented. The June 2021 SCCs include built-in TIA requirements in Clause 14.

Can legitimate interest replace consent for B2B processing?

Often yes. B2B processing frequently qualifies for legitimate interest (Article 6(1)(f)) after balancing tests. Document: your legitimate interest, necessity of processing, and balancing against data subject rights. Marketing to existing customers explicitly recognized in Recital 47.

What constitutes a "high risk" vendor under GDPR?

GDPR doesn't define vendor risk levels, but Article 35 Data Protection Impact Assessment triggers indicate high risk: large-scale sensitive data processing, systematic monitoring, innovative technology use, or processing preventing exercise of rights. Apply these criteria to vendor assessments.

How long do organizations have to report breaches involving processors?

Controllers must notify supervisory authorities within 72 hours of awareness. Processors must notify controllers "without undue delay." Best practice: require 24-hour processor notification in contracts to meet your 72-hour deadline.