Articles

Vendor Assessments: The What, Why, and How

Written by Matt Davis, CIPM (IAPP) | May 21, 2024

Research shows that the average business shares its data with over 730 different vendors. It’s hard enough to mitigate risk within your own organization—how do you mitigate risk from more than 730 external entities? 

Your vendors and your vendors’ vendors can expose your business to risk through their poor data privacy practices, lax cybersecurity, unethical business practices, and more. While you can control very little about another organization’s practices, you can mitigate your risk exposure through vendor assessments. But many businesses don’t know where to start. 

Here’s everything you need to know about vendor assessments, who needs them and why, and how to lighten your burden if your company shares data with vendors. 

What Is a Vendor Assessment?  

A vendor risk assessment, also known as a vendor privacy assessment, is a comprehensive review process to evaluate the potential risks of sharing personal or sensitive data with a vendor.   

These assessments should be conducted for all vendors, suppliers, and contractors. For example, you need to assess vendors who help you process payments, engage in marketing analytics or profile your customers, provide shipping and logistics support, or otherwise receive consumers’ personal information in any capacity. 

Why Do a Vendor Assessment?  

Vendor assessments support: 

  • Compliance: Many legal and regulatory frameworks require organizations that handle personal data to comply with data protection and privacy standards, and these laws impose steep penalties for those who fail to do so. More on this in a moment. 
  • Data privacy risk management: Third-party vendor risk is real and increasingly coming under scrutiny. Determining how vendors manage data privacy, including the policies and procedures they follow and their requirements for their own vendors (also known as fourth-party or indirect vendors), is critical to protecting data privacy.  
  • Cybersecurity: Research shows that data breaches are at an all-time high for organizations in the U.S. We saw a 20 percent increase in the number of breaches between 2022 and 2023 alone. In addition to privacy practices, vendor assessments support your cybersecurity program by evaluating a vendor’s security practices, including network security, access controls, and vulnerability management. 
  • Operational continuity: Because vendors are crucial to your company’s operations, it’s vital to ensure vendors have business continuity plans to minimize disruptions in case of vendor-related issues.  
  • Reputational management: A vendor who is a bad actor can do serious collateral damage to your organization’s reputation. Assessments can help you proactively surface negative press, lawsuits, or irresponsible business practices that could reflect poorly on your brand. 
  • Financial risk management: Companies need to fully understand how a vendor could increase financial risk by causing issues with the supply chain, duplicating spend with redundant products or services, or impacting activities that generate revenue for your company.  

Keep in mind that vendor assessments are not one-time events. They should be ongoing throughout the vendor relationship to help your organization make informed decisions and effectively navigate changing circumstances and new risks. 

Regulatory Requirements for Vendor Privacy Assessments 

Not only does conducting a vendor assessment help ensure you’re protecting consumer data, but many privacy laws require assessments.   

The General Data Protection Regulation (GDPR): The European Union’s GDPR requires organizations to conduct due diligence on third-party vendors that process the data of EU residents. The law goes as far as to state that if another processor “fails to fulfill its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that processor’s obligations.” In other words, if you’re a controller under the GDPR, you’re responsible for your vendors’ and your vendors’ vendors’ actions.    

The California Consumer Privacy Act (CCPA): Modeled after the GDPR, the CCPA also requires businesses to ensure their third-party vendors have reasonable security practices and submit a risk assessment “on a regular basis” to the California Privacy Protection Agency.  

Other state and international privacy laws: While the GDPR and CCPA are among the most stringent data privacy laws companies must abide by, other countries and states are starting to follow suit, such as the Brazilian LGPD or Canada’s PIPEDA. To protect consumer data privacy, many consumer data protection laws now include requirements that define what data can be transferred to vendors, how the data can be used, and set up guardrails to protect the data. 

The Health Insurance Portability and Accountability Act (HIPAA): HIPAA requires businesses to disclose the categories of third parties (e.g., healthcare providers, health plans, healthcare clearinghouses, and business associates) they share personal information with and ensure they have security practices to protect personal information.  

Challenges for Companies in Conducting Vendor Assessments 

Time and workload: Business owners have a lot of critical requirements to meet. Risk assessment is just one of them. Vendor privacy assessments can be complicated and time-consuming, especially when they require a dedicated person who understands data privacy, security, and risk management.  

Volume and rate of change: Today, businesses can have hundreds of vendors they rely on to keep things running. Keeping up with changing regulations can make the process more daunting as well. 

Continuity and consistency: Companies must establish continuous monitoring and reassessment processes to account for changes in vendor practices, personnel, and the regulatory environment.  

Vendor Privacy Risk Management: Maintain Compliance and Address Challenges  

A vendor assessment solution can help protect both your company and your customers’ data. Look for a solution that uses automation, templates, and customization in key areas to help you stay up to date with changing regulatory and industry best practices when it comes to mitigating vendor risk. 

For example, Osano’s Vendor Privacy Risk Management and Assessments solutions can automate the vendor assessment workflow and help quantify vendor risk, making it simple to see when the risk outweighs the reward with vendor services. Osano provides: 

  • NIST- and ISO-based assessment templates 
  • Customizable assessment templates for bespoke workflows 
  • Secure and centralized assessment storage 
  • Automated deadline alerts and workflow management 
  • Integration with other Osano solutions, such as Data Mapping and Subject Rights Management 
  • Lawsuit and privacy policy change detection 
  • A database of 14,000+ vendors 
  • A quantifiable vendor risk in a privacy score calculated using a 163-item ontology, machine-learning techniques, and privacy expert judgements.

To see these features and more, schedule a demo of Osano today.