If you’re using a supplier to host *any* EU citizens personal data (including log entries, emails, documents, HR records, backups) then when GDPR starts in May 2018 you need to have a written contract with them that includes:
- subject matter and duration of processing
- type of personal data and categories of subjects.
And that the supplier will
- only process on your instruction
- ensure employees are under strict confidentiality agreements
- not engage (or change) a sub processor without your approval
- be responsible to you if a sub processor fails to perform
- help you response to data subject enquiries
If you fail to to include such terms in your processor contracts, the ICO could fine you the greater of €10m or 2% of total annual turnover. Gulp.
For more detail on GDPR see this article by Rawlinson Butler: