The supplier database contains names, addresses, contact details, bank information, and possibly much more. Some of this data relates to individual sole traders—people whose personal information you're holding and processing. Welcome to GDPR territory.

Many procurement professionals don't think of themselves as handling personal data. They're managing business relationships, not consumer databases. But the boundaries are less clear than they might assume, and the regulatory requirements are very real.

When Supplier Data Becomes Personal Data

Personal data under UK GDPR means any information relating to an identified or identifiable living individual. For supplier management, this most obviously applies to:

Sole traders and individual contractors: Their business data is personal data. Name, address, contact information, bank details, professional qualifications—all personal data requiring protection.

Contact individuals at corporate suppliers: The names, job titles, email addresses, and phone numbers of your contacts at supplier companies are personal data, even though the company itself isn't a person.

Directors and shareholders: If you collect information about directors as part of due diligence—as many organisations do—that's personal data.

Employees referenced in supplier documentation: CVs, training records, or references to specific individuals in compliance documentation are personal data.

The scope may be broader than initially assumed. Any supplier information that can identify an individual—directly or indirectly—falls within GDPR's scope.

The Lawful Basis Question

To process personal data lawfully, you need a legal basis. For supplier data, the most relevant bases are typically:

Contract: You need to process the data to enter into or perform a contract with the supplier. Contact details, bank information, and basic business information usually fall here.

Legitimate interests: You have a legitimate business interest in processing the data, and this isn't overridden by the individual's interests. Due diligence information, reference checking, and ongoing supplier monitoring often rely on this basis.

Legal obligation: You're required by law to process certain data. Anti-money laundering checks, right-to-work verification, and regulatory reporting fall here.

The chosen basis should be documented and applied consistently. Different data elements might have different lawful bases, and you should be able to articulate the basis for each category of processing.

Privacy Notices and Transparency

Individuals whose data you process have a right to know what you're doing with it. This means providing privacy notices that explain:

What data you collect; why you collect it (purposes); what lawful basis you're relying on; how long you'll keep it; who you might share it with; and what rights individuals have.

For supplier contacts, this might be addressed through a general privacy notice on your website, through specific notice during onboarding, or through your supplier portal terms. The key is ensuring the information is accessible and clear.

Sole traders and individual contractors deserve particular attention—their relationship with you is more personal than corporate suppliers, and the data you hold is more directly about them as individuals.

Retention and Deletion

GDPR requires that personal data isn't kept longer than necessary. This creates specific obligations for supplier data management.

Retention periods should be defined based on business need and legal requirement. How long do you need supplier records after the relationship ends? Contract law implications, tax requirements, and insurance considerations all factor into appropriate retention.

Active deletion must happen when retention periods expire. It's not enough to have a policy; you need processes that actually delete data when it should be deleted. For supplier records that may span decades of relationship history, this requires systematic management.

Exceptions exist for legal holds and specific compliance requirements, but these should be exceptions, not excuses for never deleting anything. The default should be deletion when retention periods expire.

Supplier Due Diligence Implications

Due diligence activities have GDPR dimensions that deserve attention.

Credit checks and financial monitoring involve personal data when applied to sole traders or when they include information about directors. The basis for this processing should be documented, and data should be kept only as long as necessary.

Background checks on individuals—whether directors, key personnel, or individual contractors—involve significant personal data processing. This typically requires clear lawful basis, transparency about what's being checked, and appropriate retention practices.

Reference checking involves both the referee's personal data and potentially sensitive opinions about the subject. Both aspects need appropriate handling.

Adverse information—whether from sanctions lists, adverse media, or other sources—may be particularly sensitive. Processing this data legitimately requires clear basis and proportionate approach.

Your Suppliers as Processors

Some suppliers will process personal data on your behalf—they become "data processors" for data you control. This creates specific obligations.

Written contracts must be in place covering data processing relationships. Standard contractual clauses exist for this purpose, and many organisations include data processing terms in their standard supplier contracts.

Due diligence on processing capabilities becomes necessary. How will the supplier protect the data? What security measures are in place? Where will data be processed geographically?

Sub-processing needs contractual control. If your supplier uses other parties to process your data, you need visibility and control over that chain.

Ongoing monitoring is required. Processor relationships should be reviewed periodically to ensure continued compliance.

Individual Rights

People whose data you hold have rights that your supplier management processes must accommodate.

Right of access means you must be able to provide individuals with copies of their data on request. Your supplier database needs to be searchable by individual to respond to such requests.

Right of rectification means you must correct inaccurate data when requested. Supplier contact details particularly may become outdated and need correction.

Right of erasure (the "right to be forgotten") means individuals can request deletion in certain circumstances. This is limited—you don't have to delete data you still need for legal or contractual reasons—but the right exists and must be accommodated when applicable.

Rights exercise must be processed within defined timeframes (typically one month). Your supplier management processes should enable response to rights requests efficiently.

Practical Steps

If you haven't specifically addressed GDPR compliance in your supplier management, several practical steps can improve your position.

Audit what personal data you actually hold. You may be surprised by the scope. Contact details, correspondence history, due diligence records, payment information—map it all.

Document your lawful bases. For each category of data, what's your justification for processing it? This documentation should exist before any regulatory inquiry requires it.

Review privacy notices. Are individuals whose data you process informed about what you're doing? Update notices to cover supplier data processing if they don't already.

Implement retention schedules. How long should different types of supplier data be kept? Implement schedules and processes for deletion when retention periods expire.

Include data protection in supplier contracts. Ensure appropriate terms are in place with suppliers who process personal data on your behalf.

Train your team. People managing supplier relationships should understand their data protection responsibilities—what they can and can't do with personal data.

Compliance isn't a one-time exercise. It requires ongoing attention as your supplier base evolves, regulations develop, and processing activities change. But the foundation of documented, considered approach to supplier data protection is essential.