As part of my GDPR work, I'm looking at vendors & suppliers and the data that they have access to
With respect to Article 28 - (http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L:2016:119:FULL&from=EN), I understand the following:
"The controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject,”
I also understand that “Controllers” must detail in written contracts how their “processors” are going to handle this customer data"
My question is ... imagine a third party supplier / vendor states they are NOT GDPR compliant and have NO plans to comply, and existing contracts were drawn up before GPDR came into force.
If I'm reading this correctly, my company is then liable, or at least jointly liable in the event of a GDPR breach involving the third party.
Yep. Most contracts have an exit clause in case the third-party cannot meet the technical and/or regulatory requirements of the customer. Even if you don't, you can break the contract and I don't know if there's a moderator out there who wouldn't side with you.
In short, do not use them if your company plans to stay in compliant. Seek others who are more willing to work with you reducing regulatory risks.