Pluto: A Checklist

In the last post of this series on effective and efficient vendor management, we close with an overview to help you do due diligence holistically. Just as Pluto is not really planet, this is not really an article on how to manage vendors; it’s a checklist. Take a look through this recap and mark where you're doing well and where you could use some improvements. For a recap on any of these chapters, check out the full series in the IAPP Resource Center.

Framework (Chapter 1, Mercury)

  • List the laws, rules, regulations and standards that require a vendor management program.
  • List the requirements for third-party oversight of your program.
  • Reduce these to operational tasks and strategies.
  • Coordinate with key departments, such as regulatory compliance, internal audit and information security.

Entry Points and Bottlenecks (Chapter 2, Venus)

  • Develop thresholds that require approval. For legal review, this may be an amount. For privacy, it should be types of information or systems touched.
  • Develop a policy for how a service, tool or process is acquired–even if free. What department(s) can acquire or engage?
  • If business units can engage, determine the level of authority and oversight. Work with departments that commonly engage vendors. Work with bottleneck departments, typically purchasing, accounts payable, legal, regulatory and IT/information security.
  • Train these teams how to identify privacy issues in vendors.
  • Make sure privacy is part of the vendor approval process

Risk Assessment (Chapter 3, Earth)

  • Within your framework above, identify risks.
  • Map risks to business activities.
  • If you have not mapped data, map data—what data, systems, geographies, retention, etc.
  • Classify vendors based on risk and data-handling.
  • Determine level of data protection—system, folder, file, field.
  • Do due diligence on vendors; determine risk-based approach—what type of due diligence, how often, performed by whom? Identify strategic fit with corporate mission. Identify reputational risk, too, and audit (desktop, in person, third-party reports).
  • Ensure business units understand the impact a review has on the vendor engagement; understand pain points.
  • Identify mitigations for risks and capture in contract if significant; have a process to validate fulfilled.
  • Identify thresholds to abandon vendor engagement (how that happens and who makes the call).
  • Conduct ongoing assessment: when, who performs, how performed, risk-based, mitigation approaches; contract review; performance review, clear line of escalation.

Pain Points (Chapter 4, Mars)

  • Develop a process for certain vendors: contractors, cloud vendors, offshore vendors or elements.

Contract Provisions (Chapter 6, Jupiter)

  • Determine your key issues based on common or your history.
  • Verify due diligence completed appropriately.
  • Check problematic clauses (limitation of liability, indemnification, SLAs, compliance, personal data protection, termination). Are there any red flags in the contract, statement of work or negotiations? Have standard language for these clauses or at least of list of firm haves vs. cannot haves
  • If there is a need to negotiate, talk to the right people. Learn the negotiating style you like and/or are good at.
  • Watch for common but ambiguous terms, e.g., “industry norms” and “acceptable performance;” audit rights.

Ongoing Monitoring (Chapter 7, Saturn)

Determine process and timing based on risk and staffing. Check vendor performance in providing services or products. Check vendor stability and reputation. Pull contract and review any key terms and mitigations. Update audits (desktop, in person, third party reports).

Data Breaches (Chapter 8, Uranus)

  • Have a data breach response plan in place.

Termination (Chapter 9, Neptune)

  • Determine your role in terminations. Tag contracts in which privacy is impacted per vendor classification.
  • Educate business units on import of terminating vendors.
  • Identify reason for termination, and identify business relationships with vendors that may impact termination. Assess if there are options to termination that must be considered.
  • Check contract provisions.
  • Revoke access.
  • Reacquire data in proper format. Obtain certification that all data is returned or destroyed or why it is retained. Tag review at end of retention if data was retained.
  • Check surviving clauses.
  • If transitioning to a new vendor, coordinate process.
  • Check related items. Identify processes reliant on vendor. Check legal obligations related to vendor: DPA registrations, contracts, etc.