How to add a Supplier

This article will walk you though how to add a supplier to your Naq platform.

Under this section, you can add the suppliers of human-led services (accountants, outsourced developers, consultants etc). If you want to add an app or online platform that you use, go to the 'Third Party Apps' section in Naq.

Any suppliers of people's time (such as accountants, outsourced developers, consultants etc.) should be added under the Suppliers section of Naq.

Here you will select the name of the supplier or system you want to add. This could be the name of an accounting firm or IT supplier.

Here you will select who within your organisation is responsible for managing the relationship with that supplier.

Enter the email address of somebody who can sign legal documents at the supplier's end.

Business-critical refers to any element – service, application, supplier, essential for a business to function. Disruptions or failures in these elements can have significant negative consequences, such as service disruption, financial losses or reputational damage.

A Data Processing Agreement (DPA) is a legally binding contract between a data controller and a data processor. In most cases, your supplier is the data processor and your organisation is the data controller.

If you select 'No' to this question, Naq will automatically send a DPA PDF and security questionnaire to the email you entered in the above section. If you already have an agreement in place which covers GDPR and Information Security, select 'Yes'.

This is the country in which the supplier is located.

Here you will be required to select the services that the supplier is providing, for example IT Supplier.

The list of supplier services within Naq

Select whose data (or 'the data subject') the supplier has access to and/or the data they have (or 'process') on your behalf.

Select what types of data are stored about this data subject. This may include their name, address or job title.

To add a new data subject, simply click the 'Add new subjects' within your Naq platform.

The legal basis of processing is a form of justification for collecting and using personal data. Each processing activity is associated with specific requirements and obligations and is a fundamental principle of GDPR.

For more information on how to select the legal basis of processing for each data subject, please see here.

Under GDPR, personal data should be retained only for as long as necessary for the purposes for which it was collected.

When working with suppliers, retention periods are generally classified as either legal retention or contract-based retention. Here’s how to distinguish between the two:

The source of data may be from the data subject themselves, for example; if data subjects directly provide personal data through forms, surveys, or public profiles.

It can also be through your customers, for example; this may occur when customers create accounts, make purchases, or interact with the business in any way that involves sharing personal information.

Alternatively, the data source can be a third party if the information is obtained from an external organisation. This often happens through partnerships or publicly available sources, such as accessing data from public databases.

This refers to the number of data pieces the supplier holds on a specific data subject. For example, if an accountant stores the address of 50 employees, the number of records is 50.

By recording this information, it helps provide an overview of the amount of personal data a supplier holds on a specific data subject.

What is the purpose of storing this data? In the case that an accountant stores employee addresses, the purpose would likely be for payroll and tax compliance reasons.

Confidentiality, Integrity, and Availability (or the CIA Triad) are the basic building blocks of keeping information secure. In the context of suppliers, it’s crucial to ensure that they adhere to the CIA principles.

The principle of Confidentiality is to ensure that only authorised users have access to information. For more information on how to select confidentiality ratings see here.

The principle of Integrity is to ensure that only authorised subjects can make authorised modifications. For more information on how to select integrity ratings see here.

The principle of Availability is to ensure that authorised subjects are granted timely and uninterrupted access to information. For more information on how to select availability ratings see here.

In order to determine the highest classification of data stored by a supplier, it requires an assessment of the most sensitive type of information that the supplier handles. For guidance on how to determine this, please see here.

Does your supplier process or store data that is classified as secret by the UK government?

Examples of this type of data include national security information, defense-related data, intelligence reports, or sensitive law enforcement operations. Such data typically has heightened sensitivity and confidentiality requirements and will therefore be subject to more stringent compliance measures.