Defensible Vendor Privacy Due Diligence 

Vendor due diligence is the process that organizations use to examine a current or potential vendor’s risk to its business operations; it is a critical component of organizations’ privacy compliance strategy.  Privacy laws and regulations – both in the United States and internationally – requires organizations effectively manage and monitor their vendors’ information security controls and data privacy practice. 

There are four major steps in a risk-based vendor privacy due diligence process.

Step 1 – Vendor Risk Profiling

The first step of the process is to map a vendor based on the significance of its service/product to your organization’s privacy obligation and assign a criticality level accordingly. 

The most common scoping questions include: 

• What type of personal data will be shared with, collected by or processed by the vendor? 
• What is the vendor going to do with the data? 
• Is the sub-contractor involved in the data processing activities? 

• Where will the vendor store the data? 
• How long will the data be kept, and what are the protocols around deletion?  

The vendors that process sensitive personal data are considered critical vendors and need to undergo comprehensive on-boarding due diligence review and continuous monitoring.  The vendors that don’t process sensitive personal data are assigned to a less severe risk level, the review depth and frequency can be adjusted accordingly. 

Step 2 – Due Diligence Review

Due diligence review activities include at least the following areas: 

General business Information

Vendor’s general business information includes office location, financial health, reputation, etc.  

Privacy program

The first common step of assessing a vendor’s privacy program is to review its privacy policy published on company web site.  The absence of or an out-of-date privacy policy is a quick risk indicator of its privacy program.  Some red flags are: the privacy policy still refers to Privacy Shield as a legal basis for data transfer from the EU to the US; the privacy policy doesn’t include appropriate disclosures; the privacy policy still combines the EU and the UK. Other critical due diligence documents include but are not limited to privacy questionnaires, previous personal data breaches, privacy policy and procedures, verifiable privacy certification or trust marks.   ]

Information security program

Primary documents to evaluate the vendor’s information security program include but not limited to standard security due diligence packet, information security policy & procedures, business continuity plan & procedure, independent security assessment report, industry certifications, previous security incidents and cyber insurance coverage.  

Step 3 – Contractual Agreement 

Many privacy regulations require organizations to ensure their contract agreements with their vendors clearly state the obligations of both parties.  

Common contract language includes:  

• Security program requirement  
• Breach notification, reporting and remediation requirement  
• Data subject rights 
• Subcontractor 
• Cross-border data transfer 
• Data retention  

Step 4 – Continuous Monitoring  

In addition to comprehensive due diligence reviews, effective continuous monitoring for critical vendors is equally important.  Ongoing monitoring can be resource-insensitive, it is always recommended to automate the monitoring and remediation of critical vendors.