Although the GDPR accommodates modern business practices of outsourcing data storage and analytics, as well as marketing communication and other functions, it requires that data controllers choose their data processors carefully and bind them with required contractual terms to GDPR’s risk-based standards.
The GDPR did not invent vendor management responsibilities. Organizations have long had procurement programs scrutinizing vendor selection on a variety of bases, from financial solvency, to service-level commitments, and beyond. Health-related privacy laws in the U.S., for instance, require business associate agreements for sending personal health information to third parties. And for information privacy and security personnel, the infamous Target data breach underscored the risk of giving third parties access credentials to secure systems housing personal data, raising risk awareness to the highest levels of management.
Source: Top 10 Operational Responses to the GDPR – Part 9: Vetting and contracting with processors