The General Data Protection Regulation (hereinafter also the “GDPR”) has imposed several new rules on organisations (business companies) to protect EU individuals’ personal data. Organisations that are data controllers or data processors need to have assurance that their third-party suppliers/vendors as well as sub-contractors comply with applicable GDPR requirements – in other words, they are now responsible for personal data managed by their third-parties. The question however remains, whether and how they are ready to manage this in their business practice? Compliance with the above indicated GDPR requirements comprises of a specific methodical approach that should be carefully integrated into the existing third-party risk management programs. The success of this integration builds on several crucial considerations. Before weighing those, it is important to understand how GDPR (Article 28 in particular) places new requirements on suppliers/vendors and affects the overall third-party relationships. Considering the above, this paper discusses the specific GDPR requirements which were enacted to strengthen companies’ third-party risk management processes and includes a set of practical recommendations on how to establish/amend such programs in the corporate world.