Third-Party Agreements: The Bulletproof Checklist for Evaluating Vendors
You’re only as strong as your weakest link.
And most companies are blissfully unaware of their weakest link when it comes to compliance with new and forthcoming privacy regulations.
This hidden danger? Third-party agreements. Truth is, they can make or break your privacy rights implementation.
Third-party vendors are fast becoming the fashion of the day. The General Data Protection Regulation (GDPR) refers to them as processors. Under the California Consumer Privacy Act (CCPA), they include true third party services, as well as service providers.
Outsourcing specialized or less intensive tasks (think technology, marketing, and IT) to experienced outside resources seems like a no-brainer. In fact, it’s proven more efficient and cost-beneficial for most companies that use it.
Because of the increasing demand for third-party vendors, the risks they bring to the table also escalate dramatically. And the responsibility for managing that liability falls fully on the company to which the third-party vendor is contracted.
In other words, you.
Paying attention to what your third-party vendors are sending – and what those third parties are doing with that data – isn’t just a suggested best practice anymore. Regulatory oversight has expanded to make monitoring sensitive data and processes of third parties critical to a company’s operational success.
If you’re a business that doesn’t have vendor evaluation and monitoring processes in place, you’re not alone. Even if you have created these elements, chances are they’re completed and managed on Excel spreadsheets. Worse, you’re probably using a one-size-fits-all approach for analyzing every vendor.
This is a huge red flag.
Not all vendors are the same. A small consulting firm won’t pose the same risks as a large IT database company. Evaluating both of these vendors on the same scale, with the same criteria, is inefficient and ineffective. It’s essential to customize third-party evaluations based on each company’s size.
Proper third-party agreements protect your company from reputational damage and inadvertently violating laws. Because third-party agreements are an essential part of regulatory compliance and can’t be overlooked, all companies should follow a complete privacy checklist to execute them consistently and accurately.
#1 – Nail Down your Vendor List
Sure, you can probably reference a list of vendors, suppliers, distributors and contractors with whom you do business. But under most regulatory guidance, the definition of a third-party vendor is more nuanced than just a simple list.
Many companies don’t understand that it covers any business arrangement between an organization and another entity, by contract or otherwise.
Under this definition, a third-party agreement includes undocumented, verbal, and hand-shake contracts. These could have been established recently or many years ago by someone who doesn’t work at your company any longer. It doesn’t matter. These contract manufacturers, brokers, agents, and resellers all count as vendors and must be a part of your evaluation of third-party agreements.
To take it a step further, some third parties actually outsource some of their own projects to additional resources. If this comes as a shock, don’t worry. It’s standard practice for vendors to do this without the consent or knowledge of the company they’re working for. However, it’s an essential piece of managing third-party agreements.
Point is, you probably have more third-party agreements than you thought. Nailing down your vendor list – including their own subcontractors – is an essential first step for privacy compliance.
#2 – Review and Update Contracts
The next step on the checklist is reviewing and updating your third-party agreements. You’ll have to read through each contract to make sure it adheres to best practices for cybersecurity, data security, and privacy rights. Doubtless you’ll have to update the verbiage in these contracts to reflect privacy standards and clearly lay out duties for each entity to follow.
In order to maintain a clear definition of responsibility for data, you must follow a process to make sure all your vendors are compliant.
The first step in this process is creating and updating an evergreen inventory of security and privacy updates and requirements. You can then use this database to perform a comparable scan of each of your vendor contracts. You’ll want to hone in on specific contract terms and data processing agreements (DPAs) within contracts.
If you’re wondering if your work completed under the GDPR requirements applies for the CCPA, it doesn’t. There are specific requirements for each regulation, so you’ll need separate inventories supporting each standard.
Once you’ve extracted the outdated language from each vendor contract, it’s time to update it with the correct text. Traditionally, this has been the responsibility of the legal team and focused on data security topics. Now the privacy team also needs to have a say because of the privacy risks and stipulations so prevalent in legislation. Individual rights is an especially important part of this, with amendments limiting the use of data only to a specific purpose. Third parties must agree to honor these individual rights requests on your company’s behalf.
If the privacy team doesn’t lay out how and where data should be managed and stored, the security team can’t protect it. Because of this, all new contract language should be pre-written and pre-approved by the legal, security, and privacy teams.
Most importantly, all companies should have an established method for alerting stakeholders when vendors are subject to breaches or regulatory enforcement. The key to reviewing existing third-party agreements is to pinpoint high risk vendor relationships. When you’ve identified these organizations, you can put extra care around monitoring and preventing risks. This will ensure vendor accountability and compliance across the board.
#3 – Create a Third-Party Risk Management Process
The final task on your privacy checklist for evaluating third-party agreements is planning for the future. It’s not enough to ensure your existing vendors are up-to-snuff. You must also create a bulletproof plan for assessing, onboarding, and monitoring vendors you’ll add to your roster in the time ahead.
First, get your team on the same page. This means organizing cross-functional stakeholders from procurement, IT, finance and executives to whom the vendors will report – and privacy officers, of course – to help perform and review new third-party agreements. Next, identify the critical risk categories on which you’ll assess new third parties: strategic, reputational, operational, financial, compliance, security, and/or fraud.
Remember, you also have to make sure appropriate questions are asked to organizations based on their sizes. A simple way to determine evaluation criteria and scoring is through third-party questionnaires. These tools are lifesavers when it comes to evaluating vendors for compliance, security, and other risk factors. Non-profit privacy organizations offer high-quality questionnaires to their members. In addition, any third-party risk management software will normally include these questionnaires for free as a part of a subscription cost.
You may be surprised to learn the most important part of these evaluations is not the completion of them by the vendors in question. It’s critical the team assigned to review these questionnaires – and accept or deny the vendor – actually completes its responsibility, and does it in a timely manner. This cross-departmental group should weigh the scores based on risk impact so vendors can be categorized and prioritized in tiers.
The steps of this third-party risk management plan should be written down and kept on hand by anyone who deals with onboarding new vendors at your company. It should be followed to the letter to ensure all third-party agreements meet company and regulatory standards. And of course, ongoing training is essential. New and existing employees should complete rigorous training on the new third-party risk management process.
Conclusion: Get a Handle on Your Third-Party Agreements
Today’s consumers hold more power than ever before. If there’s an issue with how their data is being managed or used, they’re not going to point the finger at the third-party vendor responsible for the misdemeanor. They’re going to fully blame you – the vendor’s employer.
If you don’t want to get in trouble for something you didn’t do, completing due diligence with your third-party agreements is crucial.
The good news is, risk management software can help you complete this privacy checklist for evaluating third-party agreements in the least amount of time, effort and expense. It allows you to ditch the Excel spreadsheets and dusty digital files. Instead, you’ll be able to utilize a cost-effective, intuitive system that’s applicable to each new vendor.
Hiring a Fractional Privacy Officer (FPO) can also give you a leg up. This individual is adept at creating the review process, managing it from end-to-end, analyzing the assessments, and making it right inside the organization. If you’re interested in seeing how an FPO can exponentially benefit your vendor management process, we’ve got a team of experts who are well-versed in this high-risk area.
Reach out today to schedule a free consultation!