The company, in its supplier management activities, in addition to pursuing the objective of compliance, oriented towards ensuring efficiency and organisational adequacy and, in general, avoiding liability, must keep an eye on valuing data as a true corporate asset. Having documented policies will enable the entire organisation to correctly and more easily pursue these objectives.
With a view to correct and efficient supplier management, the company should:
have a list of suppliers in hand (to be included in the Register of Processing), re-evaluate the contracts entered into before the new regulation came into force and, therefore, proceed to update them, possibly together with an activity to verify the compliance of the others' organisation with the new privacy rules;
adopt a centralised procedure for selecting suppliers;
provide, with regard to this procedure, an adequate process of auditing the potential supplier, who must be compliant with both the GDPR and the client's company policies;
contractualise the relationship with the supplier also with reference to the processing of personal data, with precise provision of what is required by the regulations, but also with a particular focus on the value that the personal data themselves may have for the company.