Introduction
This procedure outlines how suppliers to WeThrive who process personal data on behalf of WeThrive (Processors), or have access to WeThrive’s systems, should be assessed to ensure they have appropriate levels of security in place and comply with data protection legislation including the GDPR.
Scope
The scope of this procedure covers all suppliers to WeThrive who either process personal data on behalf of WeThrive (Processors), or have access to WeThrive’s systems.
Responsibilities
All staff are responsible for ensuring that, prior to onboarding a new supplier who processes personal data on behalf of WeThrive (Processors), or has access to WeThrive’s systems, this process is followed.
The employee who instigates a request for a new supplier is responsible for updating the supplier due diligence record.
The Data Protection Officer is responsible for reviewing the supplier due diligence questionnaire answers from the supplier and making a recommendation on whether the supplier can be used.
The Data Protection Officer is responsible for reviewing the supplier due diligence record monthly and arranging annual due diligence reviews of existing suppliers.
The Chief Executive Officer or Commercial Director (or a person designated by them) is responsible for making the final decision as to whether the supplier will be used. This will be done at sign off.
Procedure
When WeThrive needs a new supplier, staff must initially assess if:
The supplier will be processing personal data on behalf of WeThrive.
The supplier has access to WeThrive’s systems which may give access to personal data.
If the answer is no, no further action is needed in relation to this procedure.
If the answer is yes to either of the above, the following process should be followed:
The Supplier Due Diligence Questionnaire should be sent to the key contact at the supplier asking them to complete it and return within a given timescale. It should be explained to the supplier that this is part of WeThrive’s supplier due diligence process.
Once the completed questionnaire is received, this should be passed to the Data Protection Officer for review along with contact details of the supplier.
The Data Protection Officer will review the questionnaire and raise any questions they may have with the supplier directly. They may ask at this point if the supplier is able to address any issues and apply additional controls in order to satisfy their requirements.
The Data Protection Officer will decide as to the suitability of the supplier in the form of a recommendation which would either be to go ahead with the supplier or do not use the supplier.
The Data Protection Officer’s decision will be provided to the Chief Executive Officer or Commercial Director as part of the supplier sign off process.
The Chief Executive Officer or Commercial Director will make the final decision as to whether the supplier can be used and notify the Data Protection Officer of this where the decision is to go ahead against the recommendation of the Data Protection Officer.
The employee who instigated the new supplier will complete the supplier due diligence record to record the new supplier.
The Data Protection Officer will review the supplier due diligence record monthly.
Reviewing Due Diligence
Supplier due diligence should be conducted on an annual basis to ensure the supplier is maintaining their security and data protection compliance.