News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Daily Dashboard | A strategic approach to vendor-management under the GDPR Related reading: Third-Party Vendor Management Means Managing Your Own Risk

rss_feed

""

""

If you’re a privacy professional tasked with ensuring your company is in compliance with the upcoming General Data Protection Regulation requirements, one of your main challenges may be communicating the profound shift in how GDPR delineates the roles and responsibilities of “controllers” and “processors.” With this shift in responsibility, companies will need to establish more rigorous practices for managing their relationships with vendors who act as processors.

As an example, a global technology company offering cloud services may act as a controller with regard to its employee data and as a processor with regard to its customer data. Under the GDPR, the company would be responsible for the vendors used to manage its EU employee data (in that case, its processors) and the vendors used to manage its EU customer data (in that case, its sub-processors).

It’s not uncommon to experience some push-back when it comes to raising the red flag over tighter vendor controls. After all, the burden of vendor management is not an easy road. It can be complex and time consuming. But the business case for compliance with GPPR is clear — the penalties are steep and the collateral public relations damage can have a chilling effect on a company’s performance.

So how can you take a pragmatic approach to vendor management under GDPR? Here are some best practices for taming this challenge.

Achieve clarity on legal requirements

Before you mobilize a team to streamline a compliance process, you must have a clear understanding of what the GDPR specifies as obligations to manage processor relationships.

Be sure to examine:

  • Article 28 (1)-(3): Processor Obligations
  • Article 24(1): Controllers
  • Article 29: Processing under the authority of the controller or processor, and
  • Article 46(1): Transfer subject to appropriate safeguards.

In reading these sections of the GDPR, it becomes obvious companies can’t simply outsource the responsibility of data governance and privacy compliance to their vendors. Companies have an obligation to conduct due diligence, have appropriate contract terms in place, and must monitor the services provided by vendors to ensure they are processing data in accordance with applicable data protection regulations. If there is a violation or data breach caused by a vendor, your organization will be liable. (One need only bring to mind the fall-out from Target’s high-profile data breach in 2013, in which a relatively small HVAC vendor allowed hackers relatively unfettered access to customer data.)

In a previous IAPP article, Anna Myers, CIPM, CIPP/US, offers a perspective of these issues.

A framework for compliance: people, process, technology & metrics

To amend a quote by environmentalist and entrepreneur, Paul Hawken: “Good [vendor] management is the art of making problems so interesting and their solutions so constructive that everyone wants to get to work and deal with them.” 

The broad strokes of applying such a constructive and inspiring approach to vendor management include: identifying the right people, formulating a process for interfacing with vendors, leveraging technology to manage the process, and keeping solid metrics for internal and external compliance purposes.

People: A first step is to determine who in your organization should be engaged with vendor selection and management. Someone should be accountable within each business team that utilizes vendors – this may be a chief of staff or VP of a particular functional business or product team. It helps to identify these privacy champions who are responsible for complying with company policy on vendor management and for evangelizing a culture of mindful sharing of data with vendors. While it’s great if you have a formal Vendor Management Office, the alternative may be a committee of stakeholders from the procurement/sourcing, legal, privacy, and security departments.

Process: It’s important to view vendor management as a lifecycle. It begins with the strategic choice of vendors and should include a formal intake process. Often you’ll need to disabuse the notion that many of your business partner may believe – that free vendor services or click through terms are not an issue. Wrong – any processing of personal data by a third-party vendor should be in scope for a GDPR-compliant vendor-management process, regardless of the cost of the service offering. Another common misconception is that these obligations only apply to processors managing customer data. Wrong – processors that manage a company’s employee data must also be in scope.

Defining appropriate contractual terms, conducting security reviews, and sponsoring ongoing maintenance and monitoring are part of the cycle. The goal is consistent treatment of data by the company and its processors to maintain compliance with regulatory obligations and promises made to data subjects.

Technology: Ad hoc vendor inventory and contract record keeping is a recipe for disaster. Many companies struggle with compiling and maintaining a complete inventory of vendors and vendor contracts. This is especially true in siloed organizations where there is no central repository of vendor contracts, or where business teams may keep (or not) copies of vendor contracts locally. Ideally, you’ll want to have a centralized system which will not only track vendor contracts, but will also provide robust reporting to flag vendors who process personal data, flag vendor-use by geo and alert stakeholders of contract terms with upcoming renewal dates.

Metrics: With the right technology platform in place, your organization will have superior visibility into your vendor management roadmap, and should have no problem tracking progress and measuring milestones. This is key, because you will want to be able to create documentation which demonstrates compliance with GDPR

If you’re planning on attending the upcoming IAPP Global Privacy Summit 2017 in Washington, D.C., don’t miss the session on “How to GDRP-ify Your Vendor Management Program.” This hands-on session will provide guidance on operationalizing the GDPR and improving your vendor management process.

Though the issues and logistics may be complex, it’s important to remember that preparation for the vendor management component of GDPR is attainable. A mindful and strategic approach is warranted so that you can properly know your vendors and hold them accountable.

Author
Headshot Alexandra Ross, CIPP/E, CIPP/US, CIPM, CIPT, FIP, PLS IAPP Member Contributor
Tags
Privacy Law
Privacy Operations Management
4 Comments

If you want to comment on this post, you need to login.

  • comment Vijayalakshmi Kannan • Mar 16, 2017 
    Nice article
  • comment Marta Moretti • Mar 19, 2017 
    Interesting article. I would add this suggestion: frame the compensation and termination sections in your agreement with vendor so that vendor's failure to comply data protection obligations would entail for it a reduction of its compensation or the termination of the agreement with penalties.
  • comment Niels Peter Vejtorp Knudsen • Feb 22, 2018 
    Very useable - thanks!
  • comment Mary Westberg • Mar 9, 2018 
    Great article, thank you!
Related Stories
How To Break Up With a Vendor
Like a personal relationship, terminating a contract with a third-party vendor may happen quickly and may be a rocky event, K Royal, CIPP/E, CIPP/US, explains in this installment of her series on third-party vendor management for The Privacy Advisor. Sometimes terminations happen because of unforese...
Read More queue Save This
Drowning In a Sea of Vendors
Jordan Abbott, a compliance attorney at Acxiom, didn't mince words when he opened the pre-conference session at the IAPP's Privacy. Security. Risk. 2015 conference on vendor management. "Bottom line you’re going to take away from this program is: vendors are a problem," Abbott said. That's be...
Read More queue Save This
Top 10 operational impacts of the GDPR: Part 7
The new General Data Protection Regulation put forth by the European Commission in 2012 and finally generally agreed upon by the European Parliament and Council in December, is set to replace the Data Protection Directive 95/46/ec. Although many companies have already adopted privacy processes and p...
Read More queue Save This
Related Stories
Tags
Privacy Law
Privacy Operations Management
Recent Comments