This post is inspired by a Linkedin post I wrote that got a fair amount of attention. It is based on matters observed with several organisations.
Some people believe they understand GDPR. You have probably been asked during vendor onboarding to complete a DPIA when it isn't necessary. For instance, when there is no processing activity per se, but to assess a vendor even if they won't process any personal data. You have also probably experienced ICT projects failing because the same organisation hasn't realised that a DPIA was needed, often with a data protection officer (DPO) not being able to understand the required nature of the DPIA in certain projects.
Most of the time, especially for users of US technolgy platforms, the DPIA templates aren't fit for purpose, misleadingly focusing on privacy and consent. Let's not forget most people haven't realised that the GDPR wasn't a privacy law (Article 1.2: This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data).
My point is mostly being proven with the ongoing saga of organisations handling of the AI Act, with people who suddenly panic when they realise they have to conduct fundamental rights impact assessments (FRIA) and discover the EU Charter for the first time.
I believe the confusion partly comes because people in organisations don't understand governance or don't have the same understanding of governance and usually lack a basic understanding of business flows.
Back to the initial paragraph, DPIA and vendor due-diligence are separate matters for separate purposes.
DPIAs are related to processing activities, in a specific context where personal data is processed and with thresholds. The initial triggers are whether there is processing as per the GDPR definition, then determination of the risk of processing on the rights and freedoms of individuals.
For the activity assessed, there may be a vendor involved. That's where vendor due-diligence comes to the equation.
If you need a washing machine and conduct due-diligence with a fridge assessment, there is a possibility the spinning won't be taken in consideration, and you will be wondering why the clothes are so cold, possibly wet and dirty once "washed". Asking a sandwich supplier or an office cleaning company if they have an up-to-date asset register may add little benefit to your procurement. They may represent a cyber risk of some sort, but I would approach differently.
While harmonisation is helpful, assessing all vendors with questions that are far from being relevant to whatever they are bringing to the organisation will certainly not provide proper due diligence.
If I was a regulator reviewing such process, I would question the benefits of choosing a fridge assessment when buying a washing machine. In fact, some regulators do as a colleague I spoke to recently confirmed, and the organisation had to fix all their assessments, as at that stage, hard to know which were appropriate and which weren't.
Due-diligence is important, but needs some tailoring as silly questions end up sending a poor governance signal to a vendor, and the vendor should be wise to stay away from the client as poor governance doesn't help business relationship.
The first question to ask at procurement stage is: will personal data be processed? Yes or No.
When the question is asked, the person who will answer the question must be able to understand the meaning of personal data processing. That is not a given. If you hire a project manager or a subject matter expert to review policies and get stakeholders to agree the policies and procedures, personal data processing will likely be limited to policy documents and meeting minutes. Should you conduct a DPIA? Perhaps not, but context matter, and the controller will decide.
If there is a yes, the DPO should be able to assist the need for a DPIA.
Vendor assessment is a difference matter. With the example above, assessing a project manager with 60 ICT questions where none involve the qualification and experience of the project manager is pure gamble. During vendor due diligence, if the same controller happens to be ISO27001 certified, and send their vendor a series of policies that haven't been reviewed for 5 to 8 years when their ISO certification is renewed every 3 years, it can all but create doubts for the vendor, not to mention the quality of the ISO27001 certification, not to forget internal and external auditors.
As a final point on DPIAs, there are many benefits in conducting such assessments even in low risk assessments. When processes where no personal data are processed (such activities exist), are assessed, please don't quote the GDPR, and think of a different type of assessment as fundamental rights may not be the risk.
Do you need help to review your procurement and due-diligence processes or DPIAs? Please reach out.
Claude Saulnier
B-Eng - CDPO - CFRCP - CIPP/E
Data Protection SME & Product Manager Bizoneo
Post Scriptum (PS):