Change management Compliance Privacy (GDPR) April 6, 2026 by Erik Horn

The day your customer asks — are you ready?

Pencil illustration of two people over a table — the perspective is reversed, you are now on the vendor’s side
← Back to articles

This is the last of four articles on vendor control in practice.

Let's say you've done the job.

You have checked the supplier access. You have retrieved the data processing agreements and compared them with reality. You have had the difficult conversations and updated what needed updating.

Good. You have better control than most.

But then your biggest client calls and says: «We're conducting a supplier audit. Can you document how you handle our data?»

Suddenly the perspective is turned. You are not the one asking the questions. You are the one who has to answer.

You are also a supplier

Most businesses think of GDPR as something they require from their suppliers. The agreements, access control, the audit—it's something you do beyond.

But almost all businesses are also a supplier to someone else. You process data on behalf of your customers. You are their data processor—or you are the data controller for data they have provided you.

On the day the customer asks, it's too late to start cleaning.

What customers are actually asking for

Customer audits, procurement departments, and tender processes are increasingly posing concrete questions about privacy and security. Not as a formality, but as a qualification requirement.

The questions are recognizable:

Do you have data processing agreements with all subcontractors? Which subcontractors do you use, and in which countries is data processed? How do you handle a deviation — and how quickly? Can you document access control — who has access to what? Do you have a contingency plan, and have you tested it? Can you provide a privacy statement that actually reflects what you do?

If you've been following this article series, you'll recognize the questions. They're the same questions you just asked your own suppliers.

Those who cannot answer lose the mission

This is where it gets concrete. Privacy is no longer just a legal requirement. It's a competitive requirement.

Procurement departments use privacy and security as qualification criteria. Companies that cannot document control are excluded – not because they are doing anything wrong, but because the customer cannot take the risk.

And it's not just about large contracts. Medium-sized businesses are also finding that partners and customers are asking these questions. Expectations are increasing throughout the entire value chain.

Create a «ready-to-deliver folder»

You don't need a big system to be ready. Create a simple folder — digital or physical — with the five documents clients most often ask for:

Overview of Data Processing Agreements. Who processes data for you, for what purposes, with what security measures. Not a complete list of agreements – an overview showing that you know what you have.

Subcontractor list. Which third parties are involved, in which countries, for what purposes. Updated — not from 2023.

Anomaly handling. A simple procedure for what happens when something goes wrong. Who is notified, in what order, within what timeframe. It doesn't need to be complicated — but it must exist and it must be known.

Access control. Documentation on who has access to what — and that access is limited to what is necessary for the job.

Contingency plan. What do you do if a critical system goes down? Not as a thought experiment—as a tested plan. Can you operate for 48 hours without IT? This is a question procurement departments actually ask.

Last resort: the paper tiger

And here is the last question — the one few people think about, but which could become the most important:

If all digital systems were to shut down, could you still operate?

That sounds dramatic. But reality shows that it happens – more often than most people think. And the businesses that get through it are those that have a plan that works without power, without internet, without systems.

A backup plan on paper. Phone numbers of key personnel. Manual routines for the most critical processes. It costs nothing to create. And the day you need it, it's invaluable.

From control to competitive advantage

This article series began with a simple observation: privacy is not a project you finish.

It's an operational task. It's the spice in the kitchen — something you use every day, in every process, wherever it's needed.

Supplier control, contract audits, preparedness, and documentation are not compliance exercises. They are signs of a well-run business. And increasingly, they are the difference between winning and losing a contract.

You don't have to do everything at once. Start with one vendor. One agreement. One conversation.

Control isn't built in big projects. It's built in everyday life — one day at a time.

Thanks for reading all four articles. If you'd like to discuss what this means for your business, I'd be happy to have a no-obligation Teams coffee.

Share this article:
LinkedIn Email
Follow Erik on LinkedIn →

Do you want to talk about this for your business?

Order a quick Teams coffee

More to read

Swap piece by piece — here's how to take control without getting stuck
Read the article
Now we have the language — SEAL
Read the article
A shoemaker repairs shoes in the background while two children play in new shoes in the foreground — illustration for the article "The Shoemaker's Children" on personvernpraktikerne.no.
The Shoemaker's Children — How I Tidy My Own Contact List
Read the article

Newsletter

Stay updated

The Privacy Practitioner — our newsletter on privacy and GDPR in practice. Once or twice a month, no tracking, easy to unsubscribe.

Sign up