According to European Union’s General Data Protection Regulation (GDPR) Article 28, companies are held accountable for handling of data regardless of whether it is in-house or by third-party vendors or partners.

While most businesses are aware of GDPR requirements, too many have prepared by focusing on internal data handling policies and overlooking an even greater threat: third-party cybersecurity risk.

To help businesses mitigate both internal and third-party risks, the CyberVadis questionnaire includes specific GDPR questions to assess whether a company has built the framework to cover the requirements introduced by the new regulation. Specifically, our analysts will assess whether the company has framed the following:

  • Roles in charge of data privacy duties have been appointed;

  • Personal data processing is identified and managed;

  • Personal data transfer is identified and data privacy requirements considered;

  • Data privacy is taken into account within the procurement process and the project management methodology;

  • Users are trained on data privacy matters;

  • Data processing principles are checked (lawfulness, exercise rights, retention, etc.);

  • A procedure is in place to inform data controllers and/or regulators in case of a personal data breach.

Interested in having your company assessed? Contact our team at

Did this answer your question?