If you’re a privacy professional tasked with ensuring your company is in compliance with the upcoming General Data Protection Regulation requirements, one of your main challenges may be communicating the profound shift in how GDPR delineates the roles and responsibilities of “controllers” and “processors.” With this shift in responsibility, companies will need to establish more rigorous practices for managing their relationships with vendors who act as processors.

As an example, a global technology company offering cloud services may act as a controller with regard to its employee data and as a processor with regard to its customer data. Under the GDPR, the company would be responsible for the vendors used to manage its EU employee data (in that case, its processors) and the vendors used to manage its EU customer data (in that case, its sub-processors).

It’s not uncommon to experience some push-back when it comes to raising the red flag over tighter vendor controls. After all, the burden of vendor management is not an easy road. It can be complex and time consuming. But the business case for compliance with GPPR is clear — the penalties are steep and the collateral public relations damage can have a chilling effect on a company’s performance.

So how can you take a pragmatic approach to vendor management under GDPR? Here are some best practices for taming this challenge.

Achieve clarity on legal requirements

Before you mobilize a team to streamline a compliance process, you must have a clear understanding of what the GDPR specifies as obligations to manage processor relationships.

Be sure to examine:

  • Article 28 (1)-(3): Processor Obligations
  • Article 24(1): Controllers
  • Article 29: Processing under the authority of the controller or processor, and
  • Article 46(1): Transfer subject to appropriate safeguards.

In reading these sections of the GDPR, it becomes obvious companies can’t simply outsource the responsibility of data governance and privacy compliance to their vendors. Companies have an obligation to conduct due diligence, have appropriate contract terms in place, and must monitor the services provided by vendors to ensure they are processing data in accordance with applicable data protection regulations. If there is a violation or data breach caused by a vendor, your organization will be liable. (One need only bring to mind the fall-out from Target’s high-profile data breach in 2013, in which a relatively small HVAC vendor allowed hackers relatively unfettered access to customer data.)

In a previous IAPP article, Anna Myers, CIPM, CIPP/US, offers a perspective of these issues.

A framework for compliance: people, process, technology & metrics

To amend a quote by environmentalist and entrepreneur, Paul Hawken: “Good [vendor] management is the art of making problems so interesting and their solutions so constructive that everyone wants to get to work and deal with them.” 

The broad strokes of applying such a constructive and inspiring approach to vendor management include: identifying the right people, formulating a process for interfacing with vendors, leveraging technology to manage the process, and keeping solid metrics for internal and external compliance purposes.

People: A first step is to determine who in your organization should be engaged with vendor selection and management. Someone should be accountable within each business team that utilizes vendors – this may be a chief of staff or VP of a particular functional business or product team. It helps to identify these privacy champions who are responsible for complying with company policy on vendor management and for evangelizing a culture of mindful sharing of data with vendors. While it’s great if you have a formal Vendor Management Office, the alternative may be a committee of stakeholders from the procurement/sourcing, legal, privacy, and security departments.

Process: It’s important to view vendor management as a lifecycle. It begins with the strategic choice of vendors and should include a formal intake process. Often you’ll need to disabuse the notion that many of your business partner may believe – that free vendor services or click through terms are not an issue. Wrong – any processing of personal data by a third-party vendor should be in scope for a GDPR-compliant vendor-management process, regardless of the cost of the service offering. Another common misconception is that these obligations only apply to processors managing customer data. Wrong – processors that manage a company’s employee data must also be in scope.

Defining appropriate contractual terms, conducting security reviews, and sponsoring ongoing maintenance and monitoring are part of the cycle. The goal is consistent treatment of data by the company and its processors to maintain compliance with regulatory obligations and promises made to data subjects.

Technology: Ad hoc vendor inventory and contract record keeping is a recipe for disaster. Many companies struggle with compiling and maintaining a complete inventory of vendors and vendor contracts. This is especially true in siloed organizations where there is no central repository of vendor contracts, or where business teams may keep (or not) copies of vendor contracts locally. Ideally, you’ll want to have a centralized system which will not only track vendor contracts, but will also provide robust reporting to flag vendors who process personal data, flag vendor-use by geo and alert stakeholders of contract terms with upcoming renewal dates.

Metrics: With the right technology platform in place, your organization will have superior visibility into your vendor management roadmap, and should have no problem tracking progress and measuring milestones. This is key, because you will want to be able to create documentation which demonstrates compliance with GDPR

If you’re planning on attending the upcoming IAPP Global Privacy Summit 2017 in Washington, D.C., don’t miss the session on “How to GDRP-ify Your Vendor Management Program.” This hands-on session will provide guidance on operationalizing the GDPR and improving your vendor management process.

Though the issues and logistics may be complex, it’s important to remember that preparation for the vendor management component of GDPR is attainable. A mindful and strategic approach is warranted so that you can properly know your vendors and hold them accountable.

Written By

Alexandra Ross, CIPP/E, CIPP/US, CIPM, FIP


If you want to comment on this post, you need to login.

  • Vijayalakshmi Kannan Mar 16, 2017

    Nice article
  • Marta Moretti Mar 19, 2017

    Interesting article. I would add this suggestion: frame the compensation and termination sections in your agreement with vendor so that vendor's failure to comply data protection obligations would entail for it a reduction of its compensation or the termination of the agreement with penalties.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

IAPP-OneTrust Website Scanning & Cookie Compliance Tool

Scan your website for cookies, tags, forms and policies and create a custom, dynamically updated cookie policy based on the results of your scans.

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

More Resources »

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds and unparalleled programs—plus a whole new spin on Active Learning!

Canada Privacy Symposium 2017

The Symposium returns to Toronto! Take advantage of Early Bird rates before March 31 and join your fellow privacy pros for a stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is SOLD OUT and the wait list is closed. If you got on the wait list, we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Join us in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

We're bringing the best of the best in privacy and infosecurity to sunny San Diego. Early registration for P.S.R. opens in May.

Europe Data Protection Congress 2017

Your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Registration opens in early June.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»