Monitoring third party compliance takes skills and experience

The GDPR requires organisations to have processes in place to monitor their third parties’ compliance with their legal and contractual obligations. The European Data Protection Board makes it clear that it is not sufficient to simply place contractual obligations on third parties, organisations must also document how they ensure compliance with those contractual obligations. DQM GRC can run your assurance programme for you.

We can design an assurance programme around your risks and controls, seek answers from your suppliers and processors about their practices and provide you with a report explaining how well what they do meets your expectations. Where they fall short we can recommend improvements that will bring them into compliance.

Discover more about our third party assurance services and solutions below 
Third Party Assurance

How does this service work?

Our specialist second party auditors will work with you to create a bespoke audit plan to meet your needs and requirements


Audit templates

We will create one or more bespoke audit templates and/or questionnaires based on the terms of your contracts and data sharing agreements for your approval.
This process includes establishing the audit framework and criteria to ensure that our audit is appropriately sensitised to areas of non-compliance.


Test audit

We will carry out a test audit to ensure that the audit template works as intended and the report meets your requirements.


Audit plan

We will work with you to design a suitable audit plan and schedule. This includes defining the scope and frequency of audits


The audits

We will carry out the audits according to the agreed plan.
Depending on your preference, we can work directly with the audit subjects to schedule the audits or you can do this yourselves.


Periodic review

We will work with you to monitor the ongoing effectiveness of the audits.
The frequency of this review cycle will be agreed with you, but will be triggered by changes to contracts or data sharing agreements, known breaches and incidents and will take place at least annually.

What to expect

Your auditor will typically take two days to complete an audit. This will be a combination of interviews with key individuals, reviews of documentation and sample checking.

We aim to provide written reports to you within 10 working days of the audit commencing.

For lower risk contracts, you may prefer to send questionnaires to your third parties that they can complete themselves and return to us for review.

We typically allow three weeks for the third party to complete and return the questionnaire and aim to provide written reports to you within 10 working days of receiving the completed questionnaire.

If you wish, our consultants can work with your audit subjects to help them address areas of non-compliance. We can maintain strict Chinese walls between our audit and consultancy teams.

Consultancy solutions

Other services of interest

Cyber security services

Cyber Security as a Service

Our sister company IT Governance provides a wide range of cyber security services, including Cyber security as a Service (CSaaS), penetration testing and vulnerability scanning.

These services can be combined with our audit programme to provide additional assurance that your data is appropriately safeguarded when you pass it to third parties.

visit it governance

Bespoke data seeding

Bespoke data seeding solutions

Our bespoke data seeding service monitors large and complex datasets in order to give you visibility of how your data is used and protect it against loss or theft.

It is particularly beneficial for organisations who regularly share datasets with third parties or who need to manage process limitations internally. We work with you to design seeding patterns that let you monitor each dataset, control how it is used and give you early warning if it is misused.

Learn more



Breachtrak monitors simple data sets to protect them against loss and theft. It is particularly beneficial for organisations who want to protect their valuable data assets – and the people the data relates to - against unauthorised intrusion.

Breachtrak includes enough data seeds to monitor one database and gives you early warning if your data is used in ways you don’t expect, or offered for sale by cybercriminals.

visit the breachtrak website

Bespoke solutions

Make it your own

We can tailor your audit programme to your specific needs and requirements.

Examples include:

  • Helping you to define standards for your data recipients to meet
  • Reviewing your contracts and data sharing agreements to ensure they remain in line with best practice and protect you and your data subjects appropriately
  • Incorporating a data seeding programme to provide evidence of data usage
  • Any other support to meet your needs – just ask!

contact us