Checking vendors

August 19, 2022

Here’s the secret sauce to doing vendor management right


One of the things you quickly learn as you build a privacy and data protection compliance program is that strong and well-documented relationships are key to success. Unless you are the rare organization that never shares personal data with an outside vendor, client, or partner, a quick examination of just about any of the world’s major privacy laws quickly reveals that you and those you share data with are intimately linked. 

While the terminology might differ in some cases, every law from the EU’s General Data Protection Regulation to California’s Consumer Privacy Rights Act to Colorado’s Privacy Act sets up a situation where there are “controllers” and “processors”:

If you are a controller, you are responsible for how the data you share with a third-party processor is handled. If you are a processor, you have to handle the data that’s been shared with you appropriately or you risk losing a client and your reputation in the marketplace.

Clearly, managing this relationship is paramount for both sides — but it can also be a paperwork nightmare. As vendors and clients contract with one another regarding the handling of personal data, any number of issues can arise, including difficulties getting your contract approved and signed, or trouble auditing whether a vendor is honoring a contract’s terms.

It’s important to establish a third-party data-sharing program that addresses these issues head-on and helps you manage all of the people and moving parts so that you can assure upper management that there’s low or negligible compliance risk and you can demonstrate compliance and accountability if something should go awry and a regulator comes calling. 

Want to learn how? Here’s the secret sauce to doing vendor management right.
Download the guide >

Four steps to manage vendors