Vendor Management: Best Practices and Guidelines
Over the past few years, we’ve seen vendors become a major source of cyber vulnerability for companies. One successful hack can reveal personal data of many companies that work with the same vendor. How can these risks be minimized?
A key challenge for any organization is keeping track of all vendors and managing the points of access that vendors have into the organization’s information assets. As the marketing, product development and IT departments partner with various third parties to deliver their respective business objectives, privacy and legal teams must be fully embedded and aware of the data sharing and the impact of such third parties. In addition, many new software, app and website features rely on third-party or open-source software, APIs and libraries, increasing the challenges of monitoring every third party who may be receiving the organization’s data.
Clarip’s Data Risk Intelligence scans can help with the identification of service providers for an organization. Additionally, information from the scans can be used in the identification of the level of data sharing that is happening with the organization so that an internal decision can be made about the appropriate level of vendor scrutiny.
Taking into account the risks associated with vendors, regular vendor audits, whether conducted by the organization itself or a third-party auditor, are a necessary part of the vendor management process. For example, organizations may contractually require their vendors to provide them with an annual information security certification, such as ISO 27001, by an independent auditing firm.
Organizations should also regularly review their vendor contracts for limitation of liability, breach notification, and data privacy clauses and ensure that contract terms accurately and appropriately allocate risks.
Vendor management is also increasingly regulated by privacy laws. A recently passed California Privacy Rights Act, for example, will require that contracts with data processors prohibit them from (i) selling or sharing personal information; (ii) retaining, using, or disclosing the personal information for any purpose other than for the business purposes specified in the contract or outside of the direct business relationship with the business; or (iii) combining the personal information which the processor receives from the business with other personal information, subject to certain exceptions.
In addition, under the CPRA, processors would be contractually obligated to provide the same level of privacy protection as is required of the businesses and would have to notify businesses if they can no longer meet these obligations. Businesses, in turn, would be permitted to monitor compliance with these contracts through annual audits, assessments, ongoing manual reviews and automatic scans and be allowed to take steps to stop and remediate unauthorized use of personal information.
It is important to remember that vendor management is an ongoing process. Vendor evaluations should be carried out regularly and be governed by internal company policies and procedures.
For more details on best privacy practices and guidelines to develop and operationalize a privacy program, download Clarip’s whitepaper: Understanding Privacy Governance.
To schedule a demo today, click here or call Clarip today at 1-888-252-5653.
Access Clarip’s Privacy Whitepapers Today
Privacy News
– Clarip Blog
Whitepapers
– What Your Company Needs to Know About Regulations of Biometric Data
– Right to Opt-Out of Sale of Personal Data Under the California and Nevada Laws
– Responding to Personal Data Deletion Requests Under the California Consumer Privacy Act
– Right to Opt-Out of Sale of Personal Data Under the California and Nevada Laws
– Verifiable Data Subject Requests under the GDPR and the CCPA
– Other Resources
California Consumer Privacy Act
– CCPA Text
– CCPA Summary
– CCPA vs GDPR
– CCPA Privacy Software
– CCPA Webinar
– SB-1121 Amendments
EU GDPR
– GDPR Text
– GDPR Compliance
– Consent Management Software
– GDPR Data Mapping Software
– DSAR Portal