Every organization has one or more (IT) partners. That is why it is important to ensure that you cannot be attacked through vulnerabilities in the IT landscape of partners. Chain risks can be mitigated by requiring critical partners to take the same security measures and to work together to increase resilience. The GDPR requires the organization to map out data security within the chain and to take responsibility for this. This is especially true for IT suppliers. Ideally, an organization can check whether the IT partner has demonstrably arranged information security well.