A major part of keeping your organization in compliance with GDPR, is making sure that you partner with vendors (and in general, third parties) that are also GDPR compliant.
When considering a partnership or other commercial relations with a vendor, it should become a part of the assessment process to also ask a lot of questions related to their data protection practices and policies, organizational, technical and other measures they are using for personal data protection, and in general to assess their GDPR compliance.
On the other side of that same coin – you are also many times a vendor to others. They will also likely to ensure that you are GDPR compliant, and often you will be required to respond to a lot of questions about your organization and its GDPR readiness.
If you have received such a request, it is important to take it seriously and make an effort to reply adequately; as lack of appropriate response my cost you the contract, which will probably be awarded to a vendor that is able to demonstrate good command of the GDPR requirements and compliance thereto.
In addition, it is important to ensure that all of your vendors that have access to personal data or have processing obligations of personal data, execute a data protection agreement (“DPA”) that will contain all applicable commitments and warranties the GDPR requires a contract with a data processor to contain.
Vendors that are data processors, may not sub-contract to sub-processors, unless are authorized to do so in writing by the data controller (typically addressed at the DPA).