Due Diligence

Due diligence is a systematic investigation of a company, supplier or partner that you conduct before making a decision about collaboration, acquisition or contract conclusion. The purpose is to uncover risks, verify information and ensure you comply with applicable legislation.

Back to Dictionary

What is due diligence?

Due diligence translates literally as "appropriate care". In a compliance context, it means thoroughly investigating a counterparty before entering into an agreement. You want to know whether the supplier handles personal data responsibly, whether the partner complies with regulatory requirements, and whether there are hidden risks you need to address.

The concept originates from the financial world, where due diligence is traditionally used in corporate acquisitions. Today it is a central tool in compliance management, because legislation increasingly requires you to know your partners and be able to document that you have investigated them.

Due diligence is closely linked to third-party risk management. Where third-party risk is the overarching risk picture, due diligence is the concrete investigation you conduct to assess and reduce that risk.

Types of due diligence

Due diligence can take many forms depending on the context:

Data protection due diligence: Investigation of how a data processor handles personal data. You assess their technical and organisational measures, including encryption, access management and breach procedures.
Security due diligence: Assessment of a supplier's information security. Do they have an ISMS? Are they ISO 27001 certified? What controls do they have in place?
Regulatory due diligence: Identification of whether the counterparty complies with relevant regulations such as GDPR, NIS2 or DORA.
Financial due diligence: Review of accounts, debt, assets and financial health, typically in connection with acquisitions.
Legal due diligence: Investigation of contracts, disputes, intellectual property rights and legal obligations.

In practice, you often combine several types in the same process. A supplier assessment typically covers data protection, security and regulatory compliance.

Due diligence and compliance requirements

GDPR Article 28 requires that as a data controller you only use data processors that can provide "sufficient guarantees" of appropriate measures. This is in practice a requirement for due diligence. You must be able to document that you have assessed the data processor before entrusting personal data to them.

NIS2 requires essential and important entities to assess the security of their supply chain. This means due diligence of suppliers delivering critical services.

DORA goes further still for financial undertakings and requires detailed risk assessment of ICT third-party providers, including exit strategies and ongoing monitoring.

ISO 27001 addresses supplier security in Annex A and requires a policy for information security in supplier relationships. Due diligence is the practical implementation of that policy.

How to conduct due diligence

A structured due diligence process typically follows these steps:

Scope: Define what you are investigating and why. What is the risk of the collaboration? What data is involved?
Information gathering: Send questionnaires, obtain certificates, review policies and audit reports. Request documentation of their information security policy and any certifications.
Assessment: Analyse the responses against your requirements and acceptable risk levels. Use your risk assessment as the basis.
Decision: Approve, reject or approve with conditions. Document the decision.
Ongoing follow-up: Repeat the assessment regularly. Critical suppliers should be assessed annually.

Document the entire process in your records of processing activities or supplier register. This makes it easier to respond to supervisory authorities and demonstrate that you have acted with appropriate care.

Frequently Asked Questions about Due Diligence

What is the difference between due diligence and a risk assessment?

Due diligence is an investigation of a specific counterparty (supplier, acquisition target, partner), whilst a risk assessment is a broader analysis of the organisation's overall risk picture. Due diligence is often part of the overall risk management process.

When should you conduct due diligence?

Due diligence should be conducted before entering into contracts with new suppliers, before corporate acquisitions, when selecting data processors and when entering into strategic partnerships. Under GDPR it is a requirement to assess data processors before entrusting personal data to them.

Does GDPR require due diligence of suppliers?

Yes, GDPR Article 28 requires that as a data controller you only use data processors that can provide sufficient guarantees of appropriate technical and organisational measures. This presupposes a due diligence process.

How often should due diligence be repeated?

Due diligence is not a one-off exercise. You should repeat the assessment regularly, typically annually for critical suppliers, and when there are significant changes in the supplier's organisation, services or risk level.