Chapter Six: Jupiter—The Contract Provisions
Perhaps the largest hurdle in a successful vendor management program is the contracting piece. In the last chapter by Pedro Pavon, CIPP/US, on contracting with cloud providers, Pavon provided an excellent overview of the challenges and opportunities of not only using cloud providers but how to manage the vendors and their affiliated services. In this chapter, we will consider the actual contracting process, no matter the service that is being provided. This is the point where you have already established your thresholds (see chapter two on internal elements) and the contract has reached your desk, either legal or privacy. This is applicable no matter the staffing model for how your privacy office works with the legal office.
Often, by the time the contract has reached privacy’s desk, the business unit has already determined that this is the chosen provider. This is not always the appropriate manner, but if your internal elements have functioned properly, this “spend” has been appropriately vetted and made it through the correct channels to reach you.
You can learn a lot about vendors by how they manage the contract process. There are signs that a vendor may be well-prepared, such as the SOC2 (Service Organization Controls) report is offered by the vendor with the contract, but, more commonly, red flags start popping up.
Some of the issues that may appear once the deal is reduced within four corners are:
- Over-promised and under-delivered: Did the vendor's sales team pitch a product that is not accurately represented, does not perform as promised, is a basic sponge though the housecleaning staff was shown or the service-level guarantees fall short of the demonstration?
- Did you identify a risk mitigation (see chapter three) that requires a contracted mitigation, but the vendor does not want to put it in writing?
- Is your business unit already caught in the vendor’s net? Often the vendor will offer to perform work ahead of the contract to get the project started, yet if the contract is not signed, the cost is typically out of proportion to the work done.
- Is the language of the contract, or the negotiator, not friendly or even neutral? Are they providing so many details to a provision that it is impossible to know what they left in? The terminology may be vague. Are there multiple carve-outs?
- Lastly, is there a volatile technology on either end?
On the other hand, your own team may not be performing ideally when it comes to contracting.
- Urgency rarely drives a good decision. Building partnerships for the future requires a thoughtful approach. Your team may be solving for an emergency now—they need a hammer—when they should be looking for a flexible partner who has a full toolbox, not just a hammer.
But if you seriously just need a hammer, don’t buy the toolbox.
- Verify that due diligence was done and the documentation is in place.
- Did they accept offered work performance before a contract was signed?
- The business person may believe they are a crafty negotiator who got a great price. But is it a great value? Did they verbally agree to terms? Did they disclose the full scope of the business need?
This is often where privacy is left out. The price is sourced based on the business need, and, when privacy enters, the price increases because it was not in the original scope.
There are many contentious provisions in contracts generally, such as choice of law, arbitration, etc. Most of these would fall under your commercial or contracts divisions, but there are some that may need your review.
- Limitation of liability: This can be problematic with personal data. The limits may be quite unreasonable, such as to the price you pay under the contract. I’ve seen, “In no event shall Vendor's liability arising out of this Agreement exceed the total fees paid under your order." It may seem reasonable, until you start breaking apart the terms and view it in light of the potential damages under personal data breaches. There should be no limit when the vendor is at fault.
- Indemnification: This is a provision that should be managed by the commercial team, but may impact your privacy concerns. Look for what is carved out, such as actions not under your control—or theirs. Make sure that any carve-outs are equal between related documents, such as the statement of work, master services agreement and business associate agreement under the Health Insurance Portability and Accountability Act (HIPAA)—especially for this provision and for limitation on liability discussed above. Note: Some have taken the approach with business associate agreements to not permit anything in the agreement other than the proscribed provisions under HIPAA, mainly because they become too complex to push down to subcontractors.
- Service-level agreements (SLAs): Check your SLAs if this contractor is handling data that qualifies at your high or medium mark. What are the ramifications, credits, refunds, expectations and exceptions for the SLAs? Does missing an SLA impact data protection? Can you add an SLA in that deals with data protection?
- Compliance with applicable laws: Be clear with expectations of what laws, rules, regulations and industry standards you expect to see compliance with and whether you will audit against them. It is fine to include some broad terminology, but articulate the categories, e.g., privacy, security, email, etc.
- Personal data protection: Confidentiality clauses do not always differentiate between, or include both, personal data and corporate data. Be clear about the use, sharing, access, storage, retention and destruction of personal data, including the ability to subcontract. Be reasonable and think broadly. Technology far outpaces the law.
Ending the relationship
We all want strategic relationships to last a long time, but sometimes they do end. Include an exit clause, one that accounts for fault and no-fault. Determine if auto-renewals are part of your vendor philosophy. If a breach of compliance with laws or confidentiality of personal data would end the relationship, set expectations with the business up front.
Make sure the right people, and only the right people, are involved in negotiations on both sides. Sometimes what is being negotiated can be done by an entry-level clerk and sometimes it cannot. If you are involving a senior-level person on your side, you need an equal-level person on their side. Always clarify whether the person you are working with has the authority to make a decision. If you do not already have a nondisclosure agreement in place, you may want to put one in place for the contract negotiation. This likely only matters with key vendors, strategic partners, etc.
Read Getting to Yes by Roger Fisher and William Ury. It is an excellent guide for contract negotiations. Some of the pertinent advice: Distinguish between people and the issue; focus on the interest, not the position; find a way for both sides to win, and use objective criteria. The book also addresses different sizes of bargaining power, countering dirty tricks and negotiating with someone who won’t negotiate. The authors define a “wise agreement” as one that is possible, efficient and improves the relationship. Use their BATNA (best alternative to a negotiated agreement) process, which is the alternative you have available should the negotiations fail. Is that another vendor, hiring in-house or paying a certain cost to develop?
There are many strategies to negotiating contracts, which come in handy when there are contentious provisions. Below are some basic strategies that you may be using without realizing it. If not, some may help you understand how others negotiate as well.
- Compartmentalize: When addressing contract provisions, break them into smaller pieces to manage. This is easier to tackle than an 80-page contract.
- Win-Win: When you win a point, try to give the other side a win as well. Find opportunities to indicate the other side is right. Remember, you both want to work together.
- Check and Checkmate: If neither side concedes, ask why. Try to get to the rationale underlying the position.
- Drive: Take authority early by setting the agenda, taking notes, arranging the calls and determining the follow-up. If you reach a provision that cannot be negotiated, set it aside and drive collaboration and build group consensus around other issues. Perhaps when you return to the provision later, someone will be more inclined to give on a certain point.
Lastly, some tactical recommendations.
- Use the redline and comment feature to track progress. If a provision makes a full circle without resolution, get on the phone with the right people.
- If you start getting red flags like those mentioned above, be willing to walk or at least have a hard conversation with the business unit on the alarms going off.
- Set priorities on what you need and what you can give up.
- Define terms clearly, e.g., “industry norms” and “acceptable performance.” Use specific and measurable terminology and provide examples for a baseline gauge, such as for industry norms using qualifying language such as “better than or equal to ____________” your standard of choice: NIST, HIPAA, EU BCRS, etc.
- Take one final look at all documents together, especially contentious provisions discussed above, such as limitation of liability and indemnification.
Miss the first five installments of this series? Find them here, at the IAPP’s Resource Center.
If you want to comment on this post, you need to login.