Under GDPR Article 28, when you engage a third party to process personal data on your behalf, you must have a Data Processing Agreement (DPA) in place and maintain a register of all such processors. DataShield HQ provides a Vendor Register with DPA tracking, risk monitoring, and expiry alerts.
Viewing the register
- Click Vendor Register in the left-hand navigation menu (under Data Management).
- The page shows summary chips at the top:
- DPA Expired (red) — Number of vendors with expired DPAs requiring immediate action.
- High Risk (amber) — Number of vendors rated High or Critical risk.
- Pending DPA (blue) — Number of vendors with DPA status Requested or Under Review.
- Use the filter tabs to view vendors by status: All, DPA Signed, DPA Expired, High Risk, or Pending Review.
Adding a new vendor
- Click New Vendor.
- Fill in the vendor details:
- Name (required) — The vendor or processor name.
- Role — Processor, Sub-Processor, or Joint Controller.
- Contact Email — Primary contact for DPA correspondence.
- Website URL — The vendor’s website.
- DPA Status — Not Started, Requested, Signed, Expired, or Under Review.
- Risk Level — Low, Medium, High, or Critical.
- DPA Signed Date — When the DPA was signed.
- DPA Expiry Date — When the DPA expires (the system will flag expired DPAs automatically).
- Last Assessment Date — When the vendor was last assessed for compliance.
- Processing Countries — Comma-separated list of countries where the vendor processes data.
- Description — Brief description of the vendor and the services they provide.
- Notes — Internal compliance observations or next steps.
- Click Create Vendor.
Understanding DPA status colours
| Status | Colour | Meaning |
|---|---|---|
| Not Started | Grey | No DPA process has begun |
| Requested | Blue | DPA has been requested from the vendor |
| Signed | Green | DPA is signed and in effect |
| Expired | Red | DPA has passed its expiry date — requires renewal |
| Under Review | Amber | DPA is being reviewed or renegotiated |
Understanding risk levels
| Risk Level | Colour | Description |
|---|---|---|
| Low | Green | Minimal data processing, strong controls |
| Medium | Amber | Moderate data processing, adequate controls |
| High | Red | Significant data processing or identified weaknesses |
| Critical | Dark | Large-scale processing with material compliance gaps |
Editing or deleting a vendor
- Click the Edit icon on any row to update vendor details, DPA status, or risk level.
- Click the Delete icon and confirm to remove a vendor from the register.
Tips
- Set DPA expiry dates and review them regularly — the system highlights expired DPAs in red.
- Reassess vendor risk levels at least annually or after any significant change in their processing activities.
- Use the Notes field to track DPA negotiation progress, audit findings, and remediation actions.
- High-risk and critical vendors should be linked to a DPIA where appropriate.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article