Vendor breach response

Trigger: a vendor or service provider has notified you that they experienced a security incident that may have affected data you shared with them. Or you became aware of a vendor breach through public reporting before you received a direct notification.

The vendor’s breach is, in part, your breach. Any personal data they held on your behalf is data you are responsible for under GDPR. The fact that someone else lost it does not reduce your obligations.

Verify the notification

Before acting on a breach notification, confirm it is genuine. Phishing emails impersonating breach notifications from trusted vendors are a known vector. Contact the vendor through a channel you already have on record (not through the email you just received) to confirm the incident is real.

Assess what data was affected

The vendor’s notification may be vague about scope. Press for specifics:

  • What categories of data were involved?

  • What time period does the breach cover?

  • Were the records encrypted? If so, with what?

  • How many individuals’ data is estimated to be affected?

  • Has the breach been contained, or is it ongoing?

Your own data processing agreement with the vendor should specify their notification obligations and the timeframe for providing detail. If they are not meeting those obligations, document that.

Determine your own notification obligations

GDPR requires you to notify your supervisory authority within 72 hours of becoming aware of a personal data breach that poses a risk to individuals. The clock may have already started from the moment you became aware, not from when the vendor notified you. Check the timing carefully.

If the breach is likely to result in a high risk to individuals (for example, special category data was involved, or the data could enable identity fraud or physical harm), you must also notify the affected individuals directly.

Engage legal counsel to confirm your specific obligations in your jurisdiction. If you have a data protection officer, they should be involved immediately.

Review the vendor relationship

A vendor breach is a signal to review the relationship:

  • Was the data minimised? Did the vendor hold more than was necessary?

  • Was the data properly protected under the processing agreement?

  • Did they meet their contractual notification timeline?

Consider whether to continue the relationship, and if so, what additional requirements to impose at contract renewal. See the vendor assessment playbook.

Temporarily revoke or reduce the vendor’s access to your systems while the incident is being investigated if this can be done without critically disrupting operations.

Document and follow through

Record: when you received notification, what you were told, what you determined your obligations were, what you disclosed to your supervisory authority, and what you communicated to affected individuals. Update your data audit to reflect what has changed about this vendor relationship.