Let’s talk about vendors: the good, the bad, and the complicated.
If you’re reading this page, you probably use them. You probably have thought long and hard about how they can expand your business services, streamline your operations, and make you more competitive.
High five! You should be thinking about those things. But those issues are only half of what you need to be concerned with.
What else should be on your radar? Vendor risk management.
What is vendor risk management? The basic basics.
When you’re talking about a vendor risk management system, you’re talking about everything that falls under the scope of mitigating the risks posed by incorporating third-party vendors into your business operations.
The goal is to reduce the risks to your data security and privacy practices and prevent business disruption, compromised data, and financial and reputational damage.
As with any complex, nuanced issue (and data security and privacy is definitely that), you need to have a fully comprehensive plan and process that:
- Assesses and tracks vendor relationship and contracts
- Monitors data and how it flows to vendors
- Identifies and reduces risks
- Evaluates vendor performance
- Tracks compliance requirements and metrics
Easy-peasy, lemon squeezy, right? (Actually, most people’s first response is “difficult, difficult, lemon difficult.”)
But whether this sounds like a challenge you’re excited for or not, you need to know how your third-party vendors treat your data, your customers’ data, and where they stand on the whole “let’s stay compliant” game.
Who are vendors?
Vendors don’t just fit neatly into one little box and neither do vendor relationships. And depending on the regulatory frameworks that you need to comply with, definitions can vary. The California Consumer Privacy Act views vendors differently than the General Data Protection Regulation does. (Even terminology is different – under GDPR, vendors are known as “processors” while CCPA calls them “service providers.”)
But for our purposes right now, the term “vendor” encompasses a huge variety of relationships, services, and agreements. They can be:
- Short-term or long-term relationships
- Involve formal contracts or verbal agreements
- Be paid or unpaid
- With small mom-and-pop outfits, independent contractors, multinational companies, and more
Vendors don’t just provide IT or software services, either. When we’re talking about data privacy, security, and compliance, we’re looking at any past, present, or future business arrangement between an organization and another entity, by contract or otherwise. Let’s look at a few examples:
- Your IT provider who maintains your company wide servers (you know, the ones that are used every single day and store all your information.)
- Your marketing agency that manages your email marketing campaigns
- Your HR provider who helps you run your payroll services
- Your Software-as-a-Service (SaaS) provider who offer a free trial of a customer management solution
These are just a few examples of vendors that you might come into contact with in the course of doing business. Your job in developing a vendor management program is to establish a process for overseeing everything about your relationship with them.
(Okay, so it may not be you specifically. But you’ll want to have someone who oversees vendor relationships as part of their job, i.e., a vendor manager.)
How do your vendors impact data security and privacy?
Before we dive into how to build a solid vendor management process, let’s look at why, why, why it’s so critical to have one in place. What risks come with the vendor territory anyway.
Because it’s not good enough to just know that there are vaguely intimated “risks.” Knowing what’s really at stake helps you address vendors and extend your data privacy obligations along your entire supply chain.
Vendor risk comes in a few different flavors. They pose:
- Operational risk
- Data security risks
- Financial risks
- Legal and regulatory (i.e., compliance) privacy risks
- Reputational risks
Unfortunately, these risks can have a cascading effect. One leads to the other. That’s why vendor evaluation should be taken seriously from start to finish. (And beyond.)
Where to start when developing a vendor management program
One of the best ways to mitigate cybersecurity and privacy risks posed by third-party vendors is to implement a Vendor Risk Management Program.
A vendor privacy management program should reflect how much security your data demands and how risk tolerant your organization is. For optimal results, your program should start before your vendors are even onboarded as you determine what services and activities you’re needing vendors for in the first place. Lead with privacy and privacy will follow.
Identifying your vendors and the scope of relationships
Do you know who all your vendors are? You probably have a list. But does that list account for everyone you have a vendor relationship with?
Now is the time to do a deep dive and come up with “The Exhaustive List of All Your Vendor Relationships.” This information is pulled from previously performed data inventory work – but if that hasn’t been done, now is 1000% the time to do it.
Want to know more about how to organize a data inventory? Check out our downloadable data inventory template.
This should cover the main points of vendor information – the Who, What, When, Where, and Whys of these relationships. But the real kicker is that your list shouldn’t stop at just your vendors. It really needs to include your vendors’ vendors, also known as subprocessors.
Why is this important? Via your third-party vendor, subprocessors vendors end up with access to your data – and your clients’ data. And if they experience issues, it can impact your business operations and your clients’ security. These problems can be as temporary as a service outage or as impactful as a data breach.
Either way, you need to know that these vendors are doing their part to stay compliant.
No risky business
Risk needs to be spelled out when you’re putting together a vendor management process. Not all risk is created equal. In fact, some level of risk is unavoidable. The goal isn’t to avoid all risks but to determine what the risks are and then build appropriate internal controls in response to them.
Here are the categories that you can rate vendors, based on levels of risk:
- Critical risk: These vendors are (for lack of a better phrase) mission-critical to your business operations. If they can’t deliver the contracted services, it could shut everything down.
- High risk: These vendors either:
- Have access to customer data and there is a high risk of information loss
- Are relied upon by your organization to a high degree
- Medium risk: These vendors either:
- Have limited access to customer information
- Losing these vendors would be disruptive to your business operations
- Low risk: These vendors don’t have access to customer data. If you didn’t have their services, it wouldn’t disrupt your business.
Vetting and due diligence
If you’re considering bringing on a new vendor, you’ll want to vet them. And not just by doing a quick Google search or checking the company’s LinkedIn page. You want to be consistent and consistently thorough. (See above.)
Your process should follow a standardized checklist for each and every potential vendor. Your checklist should include:
- Getting references
- Implementing regular vendor risk assessments
- Critical and high-risk vendors should provide you:
- Evidence of security controls such as information security policies, disaster recovery test results, proof of insurance, financial statements, etc.
- Evidence of ability to ensure continuity of service
- Evidence of incident management program that meets industry compliance and best practice standards
- Critical and high-risk vendors should provide you:
- Internal documenting and reporting procedures
These requests should be accepted and – dare I say – welcomed by the vendor. If they aren’t willing to extend this, then you’ve reached the “Stop, Do Not Pass Go” place on the board.
Contracts: Creating and reviewing
Your vendor contracts and agreements are big pieces of your vendor management puzzle. Your contracts should do the following to ensure a mutually beneficial, mutually protected relationship.
Cross border transfer
We know that data has a serious case of wanderlust. It can move pretty quickly from vendor to vendor in the blink of an eye. And before you know it, it’s made its way over to the EU. (Or vice versa.)
When data travels like it, you need to be aware of what’s known as “cross border transfers.” Your contract should include provisions for how your vendor manages this process and what steps they have in place to manage the specific requirements that might be triggered.
Data protection addendum: Defining terms and relationships
As per your working relationship, what are personal data and sensitive information? Who are the data owners and who is the third-party in your written agreement? Establishing this helps you both understand how you’ll work together.
You’ll also need to define the purpose and duration of the agreement between you and the third party. It needs to be clear what you’re asking the third-party to comply with regarding privacy program management and risk mitigation.
Confidentiality and accessibility
Your contract needs to put forth what data is being collected and, importantly, who has access to it. The goal? Ensure strict limitations to accessibility and minimize what personal data is disclosed. To help with this, you should detail the purpose of disclosure to ensure clarity for both parties.
Audits and support
Your contract should cover any requirements for audits and support needed from the third-party. Much like minimizing data disclosure, your contract should strive to include only strictly necessary measures for audits. Are on-site audits, for example, essential for you to meet your goals? If not, it may be better to not contractually require them.
Your contract should also detail what kind of help your vendors will provide for fulfilling individual rights requests and in cases of data breaches.
End of contract obligations
No vendor relationship lasts forever. Your contract needs to spell out what happens to data when you part ways. Do they return it? Destroy it? What about subprocessors? Make sure to be thorough here to protect your customers.
You need to build contract review into your processes. This is a job that should be handled across teams, so make sure to bring in your legal counsel, procurement team, and leadership on these discussions.
You should develop a contract management system that tracks the things you need to know for privacy protection. Keep in mind, though, that free or low-cost vendors may not meet the threshold for legal review. Account for this possibility in your process.
As with your security questionnaires, your contracts should be reviewed annually. When reviewing contracts, make sure the following is in place:
- Vendor is committing to keeping system, data security, and privacy as per best practices and the industry standards
- Vendor is meeting confidentiality and privacy requirements
- Vendor is committing to notify you of security breaches, incidents, and potential vulnerabilities
- Vendor is committing to independent audits and assessments and to providing you access to audit documents
Having a vendor management process isn’t just about what you do when you bring on new vendors. It’s just as important to know how you are going to go about managing vendors, from initiating relationships to terminating them. Here are the best practices for this ongoing work.
Data mapping/data inventory
Your vendors have access to your data. But do you know exactly what they have access to and how it moves from your system through theirs? Data inventories offer a snapshot of this process that is invaluable for understanding risks.
Questionnaires. They’re not just for BuzzFeed. The privacy industry gold standard best practice is to require that your vendors regularly self-audit their security practices.
Your questionnaire should, at the minimum, cover the following:
- Vendor’s business relationships
- Data handling and security practices
- Incident management and response plans
- How data will be used and stored
- Cross border requirements
- Individual rights capabilities
- Privacy notice disclosures
When completed, the questionnaire should allow you to better identify the overall risk the vendors pose and provide documentation of your due diligence.
And take note: this section is put under “Ongoing Work” because it’s exactly that. These questionnaires aren’t one-and-doners. They are essential for helping with continually monitoring your vendors and preventing all of the worrying things that happen when your data is compromised.
As such, you should be sending these out annually to your vendors to monitor vendors, track new risks, and prevent security threats from reaching your business and your customers.
Vendor performance management
Privacy and data security are key, but let’s pause for a moment to look at performance management. Your vendors provide services that you need, but are they providing them at the level you need them? Are they meeting your expectations, the milestones you establish, are they living up to your service-level agreements and KPIs?
Your vendor and supplier management process is an opportunity to gather this information and analyze it.
Working with your team
To encourage transparency, encourage building partnerships across your organization to allow for visibility of vendor activity.
When it comes to data security and privacy, you should be investing in team training. It’s a best practice, but may also be required. Does everyone in your organization understand the potential risks that vendors pose? The prevalence of free vendors can be a weak link for your team and a solid privacy training program can bring everyone onto the same page.
No relationship – business or otherwise – lasts forever. Whether you’ve outgrown a vendor, they’ve gone out of business, or they’ve failed to live up to compliance standards, you need to put processes in place for all end-of-relationship contingencies.
This should cover your contract (see above for details!) but also your internal processes and decision-making steps. Natural terminations can be easier to navigate, but ending relationships because of noncompliance can be trickier. Your process should detail the whys and hows of these situations.
Have a backup plan.
Sometimes vendors seemingly fall off the face of the earth. In these cases, you need to have backups, especially if they’re a critical service. Being able to pivot quickly and with confidence helps you maintain your standard of service.
Relaxed restrictions with long-term vendors can be a big risk. Whether you’re five days into a vendor relationship or five years, you need to approach them with the same level of care.
One key way to reduce risk is to only give vendors access to what data they need to get their job done and no more. This approach dovetails nicely with compliance mandates to minimize data. Data minimization is one of the most efficient ways to reduce your risk factors and maintain a high degree of consumer trust.
Red Clover Advisors has been making data privacy practices simple and straightforward for clients since Day 1. Whether you’re a fresh startup that wants to prioritize privacy and compliance training from the get-go to an established business needing to reshape your approach, our approach provides your team with information that is practical and actionable.
Take your company beyond compliance. Reach out to our team at Red Clover Advisors today to start with your free consultation.