Defensible Vendor Privacy Due Diligence
Vendor due diligence is the process that organizations use to examine a current or potential vendor’s risk to its business operations; it is a critical component of organizations’ privacy compliance strategy. Privacy laws and regulations – both in the United States and internationally – requires organizations effectively manage and monitor their vendors’ information security controls and data privacy practice.
There are four major steps in a risk-based vendor privacy due diligence process.
Step 1 – Vendor Risk Profiling
The first step of the process is to map a vendor based on the significance of its service/product to your organization’s privacy obligation and assign a criticality level accordingly.
The most common scoping questions include:
- What type of personal data will be shared with, collected by or processed by the vendor?
- What is the vendor going to do with the data?
- Is the sub-contractor involved in the data processing activities?
- Where will the vendor store the data?
- How long will the data be kept, and what are the protocols around deletion?
The vendors that process sensitive personal data are considered critical vendors and need to undergo comprehensive on-boarding due diligence review and continuous monitoring. The vendors that don’t process sensitive personal data are assigned to a less severe risk level, the review depth and frequency can be adjusted accordingly.
Step 2 – Due Diligence Review
Due diligence review activities include at least the following areas:
General business Information
Vendor’s general business information includes office location, financial health, reputation, etc.
Information security program
Primary documents to evaluate the vendor’s information security program include but not limited to standard security due diligence packet, information security policy & procedures, business continuity plan & procedure, independent security assessment report, industry certifications, previous security incidents and cyber insurance coverage.
Step 3 – Contractual Agreement
Many privacy regulations require organizations to ensure their contract agreements with their vendors clearly state the obligations of both parties.
Common contract language includes:
- Security program requirement
- Breach notification, reporting and remediation requirement
- Data subject rights
- Cross-border data transfer
- Data retention
Step 4 – Continuous Monitoring
In addition to comprehensive due diligence reviews, effective continuous monitoring for critical vendors is equally important. Ongoing monitoring can be resource-insensitive, it is always recommended to automate the monitoring and remediation of critical vendors.